October 2020 Patch Tuesday – 87 Vulnerabilities, 11 Critical, SharePoint, TCP/IP Stack, Graphics, Adobe Vulns


This month’s Microsoft Patch Tuesday addresses 87 vulnerabilities with 11 of them labeled as Critical. The 11 Critical vulnerabilities cover TCP/IP Stack, SharePoint, Windows Camera Codec Pack, Graphics and several other workstation vulnerabilities. Adobe issued patches today for Adobe Flash Player. ### Workstation Patches Continuing the trend, today’s Patch Tuesday fixes many vulnerabilities that impact workstations. The Windows Camera Codec, GDI+, Browser, Hyper-V, Outlook, Media Foundation and Graphics components vulnerabilities should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users. ### Windows TCP/IP RCE An extremely critical Remote Code Execution vulnerability ([CVE-2020-16898](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898>)) is fixed today. Microsoft ranks this vulnerability as “Exploitation More Likely,” and according to Microsoft and the [researchers at McAfee](<https://github.com/advanced-threat-research/CVE-2020-16898>), the vulnerability is wormable. It is highly recommended to prioritize these patches on all Windows 10, including Microsoft DNS Servers. This vulnerability allows attackers to take complete control over Windows systems by sending malicious ICMPv6 Router Advertisement packets to vulnerable systems. ### SharePoint RCE Two remote code execution vulnerabilities ([CVE-2020-16951](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16951>), [CVE-2020-16952](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952>)) are patched in Sharepoint Server that would allow an authenticated user on a guest system to perform security actions for an application pool process. Microsoft notes that exploitation of this vulnerability is less likely, but these patches should still be prioritized for all SharePoint servers. ### Graphics RCE A remote code execution vulnerability [CVE-2020-16923](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16923>) is patched in the Graphics component that could be exploited once a user opens a specially crafted file. Based on the information given, this should be prioritized across all Windows servers and workstations. ### Adobe Adobe issued patches today covering multiple vulnerabilities in [Flash Player](<https://helpx.adobe.com/security/products/flash-player/apsb20-58.html>). The patches for Flash Player are labeled as [Priority 2](<https://helpx.adobe.com/security/severity-ratings.html>). While none of the vulnerabilities disclosed in Adobe’s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed. ### About Patch Tuesday Patch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>).