Microsoft’s scheduled monthly updates for October 2020 are out. With Patch Tuesday October, Microsoft released fixes for 87 bugs in all, including multiple critical vulnerabilities, and some publicly known flaws.
6 Publicly Known Exploits And Some Critical Bugs Received Fixes
With October Patch Tuesday, Microsoft has addressed 6 important severity bugs that were publicly disclosed before a fix could be delivered for them.
These include three information disclosure vulnerabilities, CVE-2020-16937 affecting the .NET Framework, and CVE-2020-16901 and CVE-2020-16938 in Windows Kernel. Whereas the other four bugs could lead to privilege escalation. These include CVE-2020-16885 in Windows Storage VSP Driver, CVE-2020-16908 affecting Windows Setup, and CVE-2020-16909 in Windows Error Reporting.
Since these bugs are already known, Windows users must ensure updating their systems at the earliest to avoid any mishap.
Besides these, 11 other vulnerabilities also demand immediate attention from the users as Microsoft has released their fixes. All of these are critical-severity bugs that could allow remote code execution by an adversary.
One such bug CVE-2020-16947 existed due to improper handling of objects in memory by Microsoft Outlook. Exploiting this bug could allow the attacker to execute codes in the context of the current user. This situation is particularly alarming for instances where the current user is an admin.
Exploiting the bug merely required an attacker to convince a user with vulnerable Outlook to open a maliciously crafted file.
Other Microsoft Patch Tuesday Updates
Besides the above-mentioned updates, Microsoft also released 69 other important severity vulnerabilities. These, upon exploitation, could lead to remote code execution, elevation of privilege, information disclosure, cross-site scripting, and more.
Whereas, the update bundle also included a single moderate-severity vulnerability affecting the Microsoft Outlook. The vulnerability, CVE-2020-16949, existed because of the improper handling of objects in memory by the Microsoft Outlook software. To exploit this bug, an attacker merely had to send a maliciously crafted email to the target system to cause a denial of service.
Full details of all vulnerability fixes included with this patch Tuesday are available here.