Microsoft Fixes RCE Flaws in Out-of-Band Windows Update

2020-10-16T20:47:02

Description

Microsoft has issued out-of-band patches for two “important” severity vulnerabilities, which if exploited could allow for remote code execution. One flaw (CVE-2020-17023) exists in Microsoft’s Visual Studio Code is a free source-code editor made by Microsoft for Windows, Linux and macOS. The other (CVE-2020-17022) is in the Microsoft Windows Codecs Library; the codecs module provides stream and file interfaces for transcoding data in Windows programs. “Microsoft has released security updates to address remote code execution vulnerabilities affecting Windows Codecs Library and Visual Studio Code,” according to [a Friday CISA alert on the patches](<https://us-cert.cisa.gov/ncas/current-activity/2020/10/16/microsoft-releases-security-updates-address-remote-code-execution>). “An attacker could exploit these vulnerabilities to take control of an affected system.” [![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) According to Microsoft, one “important” severity flaw ([CVE-2020-17022](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17022>)) stems from the way that Microsoft Windows Codecs Library handles objects in memory. This vulnerability has a CVSS score of 7.8 out of 10. An attacker who successfully exploited the vulnerability could execute arbitrary code, according to Microsoft. While an attacker could be remote to launch the attack, exploitation requires that a program process a specially crafted image file. Only customers who have installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store may be vulnerable. The secure Microsoft installed packed versions are 1.0.32762.0, 1.0.32763.0, and later. “The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory,” according to Microsoft. The other “important” severity flaw (which also has a CVSS score of 7.8 out of 10) exists in Visual Studio Code, when a user is tricked into opening a malicious ‘package.json’ file. According to Microsoft, an attacker who successfully exploited this flaw ([CVE-2020-17023](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17023>)) could run arbitrary code in the context of the current user. An attacker would first need to convince a target to clone a repository and open it in Visual Studio Code (via social engineering or otherwise). The attacker’s malicious code would execute when the target opens the malicious ‘package.json’ file. “If the current user is logged on with administrative user rights, an attacker could take control of the affected system,” said Microsoft. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” Microsoft’s update addresses the vulnerability by modifying the way Visual Studio Code handles JSON files. In a Twitter thread, Justin Steven, who reported the flaw, said that the issue stems from a bypass of a previously deployed patch for an RCE flaw in Visual Studio Code (CVE-2020-16881). > Microsoft Visual Studio Code seems to have botched the fix for CVE-2020-16881, a "remote code execution" vulnerability regarding "malicious package.json files". The patch can be trivially bypassed. A thread 🧵 > > — GNU/JUSTIN (@justinsteven) [October 2, 2020](<https://twitter.com/justinsteven/status/1312152915344195584?ref_src=twsrc%5Etfw>) Neither flaw has been observed being exploited in the wild according to Microsoft. Microsoft also did not offer mitigations or workarounds for other flaws – but updates will be automatically installed for users. “Affected customers will be automatically updated by Microsoft Store,” according to Microsoft. “Customers do not need to take any action to receive the update.” The fixes come days after [Microsoft’s October Patch Tuesday updates](<https://threatpost.com/october-patch-tuesday-wormable-bug/160044/>), during which it released fixes for 87 security vulnerabilities, 11 of them critical – and one potentially wormable. In the case of these bugs, “servicing for store apps/components does not follow the monthly ‘Update Tuesday’ cadence, but are offered whenever necessary,” according to Microsoft.

{"id": "THREATPOST:AACCB861556B5F149B9D739F4717C3C3", "type": "threatpost", "bulletinFamily": "info", "title": "Microsoft Fixes RCE Flaws in Out-of-Band Windows Update", "description": "Microsoft has issued out-of-band patches for two \u201cimportant\u201d severity vulnerabilities, which if exploited could allow for remote code execution.\n\nOne flaw (CVE-2020-17023) exists in Microsoft\u2019s Visual Studio Code is a free source-code editor made by Microsoft for Windows, Linux and macOS. The other (CVE-2020-17022) is in the Microsoft Windows Codecs Library; the codecs module provides stream and file interfaces for transcoding data in Windows programs.\n\n\u201cMicrosoft has released security updates to address remote code execution vulnerabilities affecting Windows Codecs Library and Visual Studio Code,\u201d according to [a Friday CISA alert on the patches](<https://us-cert.cisa.gov/ncas/current-activity/2020/10/16/microsoft-releases-security-updates-address-remote-code-execution>). \u201cAn attacker could exploit these vulnerabilities to take control of an affected system.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nAccording to Microsoft, one \u201cimportant\u201d severity flaw ([CVE-2020-17022](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17022>)) stems from the way that Microsoft Windows Codecs Library handles objects in memory. This vulnerability has a CVSS score of 7.8 out of 10.\n\nAn attacker who successfully exploited the vulnerability could execute arbitrary code, according to Microsoft. While an attacker could be remote to launch the attack, exploitation requires that a program process a specially crafted image file.\n\nOnly customers who have installed the optional HEVC or \u201cHEVC from Device Manufacturer\u201d media codecs from Microsoft Store may be vulnerable. The secure Microsoft installed packed versions are 1.0.32762.0, 1.0.32763.0, and later.\n\n\u201cThe update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory,\u201d according to Microsoft.\n\nThe other \u201cimportant\u201d severity flaw (which also has a CVSS score of 7.8 out of 10) exists in Visual Studio Code, when a user is tricked into opening a malicious \u2018package.json\u2019 file.\n\nAccording to Microsoft, an attacker who successfully exploited this flaw ([CVE-2020-17023](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17023>)) could run arbitrary code in the context of the current user. An attacker would first need to convince a target to clone a repository and open it in Visual Studio Code (via social engineering or otherwise). The attacker\u2019s malicious code would execute when the target opens the malicious \u2018package.json\u2019 file.\n\n\u201cIf the current user is logged on with administrative user rights, an attacker could take control of the affected system,\u201d said Microsoft. \u201cAn attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\u201d\n\nMicrosoft\u2019s update addresses the vulnerability by modifying the way Visual Studio Code handles JSON files.\n\nIn a Twitter thread, Justin Steven, who reported the flaw, said that the issue stems from a bypass of a previously deployed patch for an RCE flaw in Visual Studio Code (CVE-2020-16881).\n\n> Microsoft Visual Studio Code seems to have botched the fix for CVE-2020-16881, a \"remote code execution\" vulnerability regarding \"malicious package.json files\". The patch can be trivially bypassed. A thread \ud83e\uddf5\n> \n> \u2014 GNU/JUSTIN (@justinsteven) [October 2, 2020](<https://twitter.com/justinsteven/status/1312152915344195584?ref_src=twsrc%5Etfw>)\n\nNeither flaw has been observed being exploited in the wild according to Microsoft. Microsoft also did not offer mitigations or workarounds for other flaws \u2013 but updates will be automatically installed for users.\n\n\u201cAffected customers will be automatically updated by Microsoft Store,\u201d according to Microsoft. \u201cCustomers do not need to take any action to receive the update.\u201d\n\nThe fixes come days after [Microsoft\u2019s October Patch Tuesday updates](<https://threatpost.com/october-patch-tuesday-wormable-bug/160044/>), during which it released fixes for 87 security vulnerabilities, 11 of them critical \u2013 and one potentially wormable.\n\nIn the case of these bugs, \u201cservicing for store apps/components does not follow the monthly \u2018Update Tuesday\u2019 cadence, but are offered whenever necessary,\u201d according to Microsoft.\n", "published": "2020-10-16T20:47:02", "modified": "2020-10-16T20:47:02", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://threatpost.com/microsoft-rce-flaws-windows-update/160244/", "reporter": "Lindsey O'Donnell", "references": ["https://us-cert.cisa.gov/ncas/current-activity/2020/10/16/microsoft-releases-security-updates-address-remote-code-execution", "https://threatpost.com/newsletter-sign/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17022", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17023", "https://twitter.com/justinsteven/status/1312152915344195584?ref_src=twsrc%5Etfw", "https://threatpost.com/october-patch-tuesday-wormable-bug/160044/"], "cvelist": ["CVE-2020-16881", "CVE-2020-17022", "CVE-2020-17023"], "lastseen": "2020-10-19T15:17:24", "viewCount": 109, "enchantments": {"dependencies": {"references": [{"type": "avleonov", "idList": ["AVLEONOV:93A5CCFA19B815AE15942F533FFD65C4"]}, {"type": "cisa", "idList": ["CISA:C14D003FF1B3CB2AB78DBB99347FF1E2"]}, {"type": "cve", "idList": ["CVE-2020-16881", "CVE-2020-17022", "CVE-2020-17023"]}, {"type": "kaspersky", "idList": ["KLA11956", "KLA11980", "KLA11981"]}, {"type": "mscve", "idList": ["MS:CVE-2020-16881", "MS:CVE-2020-17022", "MS:CVE-2020-17023"]}, {"type": "nessus", "idList": ["SMB_NT_MS20_OCT_HEVC_OOB.NASL", "SMB_NT_MS20_OCT_VISUAL_STUDIO_CODE.NASL", "SMB_NT_MS20_SEP_VISUAL_STUDIO_CODE.NASL"]}]}, "score": {"value": 1.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "avleonov", "idList": ["AVLEONOV:93A5CCFA19B815AE15942F533FFD65C4"]}, {"type": "cisa", "idList": ["CISA:C14D003FF1B3CB2AB78DBB99347FF1E2"]}, {"type": "cve", "idList": ["CVE-2020-16881"]}, {"type": "kaspersky", "idList": ["KLA11980", "KLA11981"]}, {"type": "mscve", "idList": ["MS:CVE-2020-16881"]}, {"type": "nessus", "idList": ["SMB_NT_MS20_SEP_VISUAL_STUDIO_CODE.NASL"]}, {"type": "threatpost", "idList": ["THREATPOST:050A36E6453D4472A2734DA342E95366"]}]}, "exploitation": null, "vulnersScore": 1.4}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 1659743467}}

{"cisa": [{"lastseen": "2021-02-24T18:06:44", "description": "Microsoft has released security updates to address remote code execution vulnerabilities affecting Windows Codecs Library and Visual Studio Code. An attacker could exploit these vulnerabilities to take control of an affected system.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Microsoft security advisories for [CVE-2020-17022](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17022>) and [CVE-2020-17023](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17023>) and apply the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/10/16/microsoft-releases-security-updates-address-remote-code-execution>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-16T00:00:00", "type": "cisa", "title": "Microsoft Releases Security Updates to Address Remote Code Execution Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17022", "CVE-2020-17023"], "modified": "2020-10-16T00:00:00", "id": "CISA:C14D003FF1B3CB2AB78DBB99347FF1E2", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/10/16/microsoft-releases-security-updates-address-remote-code-execution", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-11-21T14:41:38", "description": "The version of Microsoft Visual Studio Code installed on the remote Windows host is prior to 1.50.1. It is, therefore, affected by the following vulnerability:\n\n - A remote code execution vulnerability exists in Visual Studio Code when a user is tricked into opening a malicious 'package.json' file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to convince a target to clone a repository and open it in Visual Studio Code. Attacker-specified code would execute when the target opens the malicious 'package.json' file.\n (CVE-2020-17023)", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-10-27T00:00:00", "type": "nessus", "title": "Security Update for Microsoft Visual Studio Code (CVE-2020-17023)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17023"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:microsoft:visual_studio_code"], "id": "SMB_NT_MS20_OCT_VISUAL_STUDIO_CODE.NASL", "href": "https://www.tenable.com/plugins/nessus/141931", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141931);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2020-17023\");\n script_xref(name:\"IAVA\", value:\"2020-A-0459-S\");\n\n script_name(english:\"Security Update for Microsoft Visual Studio Code (CVE-2020-17023)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an application installed that is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Visual Studio Code installed on the remote\nWindows host is prior to 1.50.1. It is, therefore, affected by the\nfollowing vulnerability:\n\n - A remote code execution vulnerability exists in Visual Studio Code when a\n user is tricked into opening a malicious 'package.json' file. An attacker who\n successfully exploited the vulnerability could run arbitrary code in the\n context of the current user. If the current user is logged on with\n administrative user rights, an attacker could take control of the affected\n system. An attacker could then install programs; view, change, or delete\n data; or create new accounts with full user rights. To exploit this\n vulnerability, an attacker would need to convince a target to clone a\n repository and open it in Visual Studio Code. Attacker-specified code would\n execute when the target opens the malicious 'package.json' file.\n (CVE-2020-17023)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://code.visualstudio.com/updates/v1_50\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17023\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5b0953a5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Microsoft Visual Studio Code 1.50.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17023\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:visual_studio_code\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_visual_studio_code_installed.nbin\", \"microsoft_visual_studio_code_win_user_installed.nbin\");\n script_require_keys(\"installed_sw/Microsoft Visual Studio Code\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\n\napp_info = vcf::get_app_info(app:'Microsoft Visual Studio Code', win_local:TRUE);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { 'fixed_version' : '1.50.1' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:20:08", "description": "The version of Microsoft Visual Studio Code installed on the remote Windows host is prior to 1.48.2. It is, therefore, affected by the following vulnerability:\n\n - A remote code execution vulnerability exists in Visual Studio Code when a user is tricked into opening a malicious 'package.json' file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to convince a target to clone a repository and open it in Visual Studio Code. Attacker- specified code would execute when the target opens the malicious 'package.json' file. The update address the vulnerability by modifying the way Visual Studio Code handles JSON files.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-09-08T00:00:00", "type": "nessus", "title": "Security Update for Microsoft Visual Studio Code (CVE-2020-16881)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16881"], "modified": "2022-12-06T00:00:00", "cpe": ["cpe:/a:microsoft:visual_studio_code"], "id": "SMB_NT_MS20_SEP_VISUAL_STUDIO_CODE.NASL", "href": "https://www.tenable.com/plugins/nessus/140432", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140432);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2020-16881\");\n script_xref(name:\"IAVA\", value:\"2020-A-0411-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0118\");\n\n script_name(english:\"Security Update for Microsoft Visual Studio Code (CVE-2020-16881)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an application installed that is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Visual Studio Code installed on the remote\nWindows host is prior to 1.48.2. It is, therefore, affected by the\nfollowing vulnerability:\n\n - A remote code execution vulnerability exists in Visual\n Studio Code when a user is tricked into opening a\n malicious 'package.json' file. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the current user. If\n the current user is logged on with administrative user\n rights, an attacker could take control of the affected\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. To exploit this vulnerability, an\n attacker would need to convince a target to clone a\n repository and open it in Visual Studio Code. Attacker-\n specified code would execute when the target opens the\n malicious 'package.json' file. The update address the\n vulnerability by modifying the way Visual Studio Code\n handles JSON files.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://code.visualstudio.com/updates/v1_48\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16881\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fa187f85\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Microsoft Visual Studio Code 1.48.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-16881\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:visual_studio_code\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_visual_studio_code_installed.nbin\", \"microsoft_visual_studio_code_win_user_installed.nbin\");\n script_require_keys(\"installed_sw/Microsoft Visual Studio Code\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\n\napp_info = vcf::get_app_info(app:'Microsoft Visual Studio Code', win_local:TRUE);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { 'fixed_version' : '1.48.2' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-19T00:55:27", "description": "The Windows 'HEVC Video Extensions' or 'HEVC from Device Manufacturer' app installed on the remote host is affected by a remote code execution vulnerability :\n\n - A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code.\n Exploitation of the vulnerability requires that a program process a specially crafted image file. (CVE-2020-17022)", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-11-06T00:00:00", "type": "nessus", "title": "Microsoft Windows Codecs Library RCE (October 2020)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17022"], "modified": "2020-11-13T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_OCT_HEVC_OOB.NASL", "href": "https://www.tenable.com/plugins/nessus/142595", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(142595);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/13\");\n\n script_cve_id(\"CVE-2020-17022\");\n script_xref(name:\"IAVA\", value:\"2020-A-0457-S\");\n\n script_name(english:\"Microsoft Windows Codecs Library RCE (October 2020)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Windows app installed on the remote host is affected by a remote code\nexecution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Windows 'HEVC Video Extensions' or 'HEVC from Device Manufacturer' app\ninstalled on the remote host is affected by a remote code execution\nvulnerability :\n\n - A remote code execution vulnerability exists in the way that Microsoft\n Windows Codecs Library handles objects in memory. An attacker who\n successfully exploited the vulnerability could execute arbitrary code.\n Exploitation of the vulnerability requires that a program process a specially\n crafted image file. (CVE-2020-17022)\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17022\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7b35e41\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to app version 1.0.32762.0, 1.0.32763.0, or later via the Microsoft Store.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17022\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"wmi_enum_windows_app_store.nbin\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"WMI/Windows App Store/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\n# Thanks to MS for two nearly identical package identity names:\n# Microsoft.HEVCVideoExtension - HEVC Video Extensions from Device Manufacturer\n# Microsoft.HEVCVideoExtensions - HEVC Video Extensions\napps = ['Microsoft.HEVCVideoExtension', 'Microsoft.HEVCVideoExtensions'];\n\napp_info = vcf::microsoft_appstore::get_app_info(app_list:apps);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { 'fixed_version' : '1.0.32762.0' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "mscve": [{"lastseen": "2022-10-03T16:29:37", "description": "A remote code execution vulnerability exists in Visual Studio Code when a user is tricked into opening a malicious 'package.json' file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would need to convince a target to clone a repository and open it in Visual Studio Code. Attacker-specified code would execute when the target opens the malicious 'package.json' file.\n\nThe update address the vulnerability by modifying the way Visual Studio Code handles JSON files.\n", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-10-15T07:00:00", "type": "mscve", "title": "Visual Studio JSON Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17023"], "modified": "2020-10-15T07:00:00", "id": "MS:CVE-2020-17023", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17023", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-03T16:29:38", "description": "A remote code execution vulnerability exists in Visual Studio Code when a user is tricked into opening a malicious 'package.json' file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would need to convince a target to clone a repository and open it in Visual Studio Code. Attacker-specified code would execute when the target opens the malicious 'package.json' file.\n\nThe update address the vulnerability by modifying the way Visual Studio Code handles JSON files.\n", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-09-08T07:00:00", "type": "mscve", "title": "Visual Studio JSON Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16881"], "modified": "2020-09-08T07:00:00", "id": "MS:CVE-2020-16881", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16881", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-27T00:23:12", "description": "A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code.\n\nExploitation of the vulnerability requires that a program process a specially crafted image file.\n\nThe update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-10-15T07:00:00", "type": "mscve", "title": "Microsoft Windows Codecs Library Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17022"], "modified": "2020-10-15T07:00:00", "id": "MS:CVE-2020-17022", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17022", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2021-08-18T11:00:09", "description": "### *Detect date*:\n10/15/2020\n\n### *Severity*:\nHigh\n\n### *Description*:\nA remote code execution vulnerability was found in Microsoft Developer Tools. Malicious users can exploit this vulnerability to execute arbitrary code.\n\n### *Affected products*:\nVisual Studio Code\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-17023](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-17023>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Visual Studio](<https://threats.kaspersky.com/en/product/Microsoft-Visual-Studio/>)\n\n### *CVE-IDS*:\n[CVE-2020-17023](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17023>)9.3Critical", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-15T00:00:00", "type": "kaspersky", "title": "KLA11980 ACE vulnerability in Microsoft Developer Tools", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17023"], "modified": "2020-10-19T00:00:00", "id": "KLA11980", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11980/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-18T11:00:08", "description": "### *Detect date*:\n10/15/2020\n\n### *Severity*:\nHigh\n\n### *Description*:\nA remote code execution vulnerability was found in Microsoft Windows. Malicious users can exploit this vulnerability to execute arbitrary code.\n\n### *Affected products*:\nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 Version 1709 for ARM64-based Systems \nWindows 10 Version 1903 for 32-bit Systems \nWindows 10 Version 2004 for x64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1803 for ARM64-based Systems \nWindows 10 Version 1709 for x64-based Systems \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1709 for 32-bit Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 1803 for x64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-17022](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-17022>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2020-17022](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17022>)6.8High", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-15T00:00:00", "type": "kaspersky", "title": "KLA11981 ACE vulnerability in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17022"], "modified": "2020-10-19T00:00:00", "id": "KLA11981", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11981/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-09-16T12:50:40", "description": "### *Detect date*:\n09/08/2020\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code, bypass security restrictions.\n\n### *Affected products*:\nASP.NET Core 3.1 \nMicrosoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3) \nMicrosoft Visual Studio 2019 version 16.0 \nMicrosoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) \nVisual Studio Code \nASP.NET Core 2.1 \nMicrosoft Visual Studio 2013 Update 5 \nMicrosoft Visual Studio 2012 Update 5 \nMicrosoft Visual Studio 2015 Update 3 \nPowerShell 7.1 \nPowerShell 7.0 \nMicrosoft Visual Studio 2019 version 16.7 (includes 16.0 \u2013 16.6)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-1130](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1130>) \n[CVE-2020-1133](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1133>) \n[CVE-2020-16874](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-16874>) \n[CVE-2020-16881](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-16881>) \n[CVE-2020-1045](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1045>) \n[CVE-2020-16856](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-16856>) \n[CVE-2020-0951](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-0951>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Visual Studio](<https://threats.kaspersky.com/en/product/Microsoft-Visual-Studio/>)\n\n### *CVE-IDS*:\n[CVE-2020-1130](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1130>)4.6Warning \n[CVE-2020-0951](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0951>)7.2High \n[CVE-2020-1133](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1133>)4.6Warning \n[CVE-2020-16874](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16874>)9.3Critical \n[CVE-2020-16881](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16881>)9.3Critical \n[CVE-2020-1045](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1045>)5.0Critical \n[CVE-2020-16856](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16856>)9.3Critical\n\n### *KB list*:\n[4576950](<http://support.microsoft.com/kb/4576950>) \n[4571480](<http://support.microsoft.com/kb/4571480>) \n[4571481](<http://support.microsoft.com/kb/4571481>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-08T00:00:00", "type": "kaspersky", "title": "KLA11956 Multiple vulnerabilities in Microsoft Developer Tools", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0951", "CVE-2020-1045", "CVE-2020-1130", "CVE-2020-1133", "CVE-2020-16856", "CVE-2020-16874", "CVE-2020-16881"], "modified": "2022-09-08T00:00:00", "id": "KLA11956", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11956/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T14:29:45", "description": "A remote code execution vulnerability exists in Visual Studio Code when a user is tricked into opening a malicious 'package.json' file, aka 'Visual Studio JSON Remote Code Execution Vulnerability'.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-10-16T23:15:00", "type": "cve", "title": "CVE-2020-17023", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17023"], "modified": "2020-10-20T16:22:00", "cpe": ["cpe:/a:microsoft:visual_studio_code:-"], "id": "CVE-2020-17023", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17023", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:visual_studio_code:-:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:24:52", "description": "A remote code execution vulnerability exists in Visual Studio Code when a user is tricked into opening a malicious 'package.json' file, aka 'Visual Studio JSON Remote Code Execution Vulnerability'.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-09-11T17:15:00", "type": "cve", "title": "CVE-2020-16881", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16881"], "modified": "2021-07-21T11:39:00", "cpe": [], "id": "CVE-2020-16881", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16881", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2022-03-23T14:29:44", "description": "A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory, aka 'Microsoft Windows Codecs Library Remote Code Execution Vulnerability'.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-10-16T23:15:00", "type": "cve", "title": "CVE-2020-17022", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17022"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_10:1809"], "id": "CVE-2020-17022", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17022", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*"]}], "avleonov": [{"lastseen": "2020-12-20T04:20:58", "description": "I would like to start this post by talking about Microsoft vulnerabilities, which recently turned out to be much more serious than it seemed at first glance.\n\n![](https://avleonov.com/wp-content/uploads/2020/09/Microsoft-Patch-Tuesday-September-2020.png)\n\n## Older Vulnerabilities with exploits\n\n### "Zerologon" Netlogon RCE (CVE-2020-1472) \n\nOne of them is, of course, the Netlogon vulnerability from the August 2020 Patch Tuesday. It's called "Zerologon". I would not say that Vulnerability Management vendors completely ignored it. But none of them (well, maybe only ZDI) emphasized in their reports that this vulnerability would be a real disaster.\n\n![](https://avleonov.com/wp-content/uploads/2020/09/netlogon.png)\n\nWhy? Because there were no details and there were no public exploits back then. That started to change dramatically when the full review by [Secura](<https://www.secura.com/blog/zero-logon>) was published.\n\n![](https://avleonov.com/wp-content/uploads/2020/09/netlogon_description.png)\n\nIt became clear that this was not a privilege escalation. In fact, it was Remote Code Execution without authentication. Then an exploit appeared on [Github](<https://github.com/dirkjanm/CVE-2020-1472>). It was tested and approved by experts.\n\n> We have reproduced the CVE-2020-1472 [#zerologon](<https://twitter.com/hashtag/zerologon?src=hash&ref_src=twsrc%5Etfw>) vulnerability! It's an unauth RCE for Domain Controllers. [pic.twitter.com/qFe45O7WPR](<https://t.co/qFe45O7WPR>)\n> \n> -- PT SWARM (@ptswarm) [September 14, 2020](<https://twitter.com/ptswarm/status/1305479737234599941?ref_src=twsrc%5Etfw>)\n\nAfter this all the Vulnerability Management vendors ([Qualys](<https://blog.qualys.com/vulnerabilities-research/2020/09/15/microsoft-netlogon-vulnerability-cve-2020-1472-zerologon-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>), [Tenable](<https://www.tenable.com/blog/cve-2020-1472-zerologon-vulnerability-in-netlogon-could-allow-attackers-to-hijack-windows>), [Rapid7](<https://blog.rapid7.com/2020/09/14/cve-2020-1472-zerologon-critical-privilege-escalation/>)) made their blog posts about this vulnerability. And CISA even [released an Emergency Directive](<https://cyber.dhs.gov/ed/20-04/>) to patch all the Domain Controllers of Federal Agencies in just 4 days!\n\n![](https://avleonov.com/wp-content/uploads/2020/09/cisa_emergency-1024x477.png)\n\nAn exploit for this vulnerability has become available in Mimikatz.\n\n> A new [#mimikatz](<https://twitter.com/hashtag/mimikatz?src=hash&ref_src=twsrc%5Etfw>) ![\ud83e\udd5d](https://s.w.org/images/core/emoji/13.0.1/72x72/1f95d.png)release with [#zerologon](<https://twitter.com/hashtag/zerologon?src=hash&ref_src=twsrc%5Etfw>) / CVE-2020-1472 detection, exploit, DCSync support and a lots of love inside ![\u2764](https://s.w.org/images/core/emoji/13.0.1/72x72/2764.png) \n \nIt now uses direct RPC call (fast and supports unauthenticated on Windows) \n \n> <https://t.co/Wzb5GAfWfd> \n \nThank you: [@SecuraBV](<https://twitter.com/SecuraBV?ref_src=twsrc%5Etfw>) [pic.twitter.com/s7LRRLPRTP](<https://t.co/s7LRRLPRTP>)\n> \n> -- ![\ud83e\udd5d](https://s.w.org/images/core/emoji/13.0.1/72x72/1f95d.png) Benjamin Delpy (@gentilkiwi) [September 16, 2020](<https://twitter.com/gentilkiwi/status/1306178689630076929?ref_src=twsrc%5Etfw>)\n\nAnd so it was not surprising when Microsoft began to detect the real life exploitations all this vulnerability.\n\n> Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.\n> \n> \u2014 Microsoft Security Intelligence (@MsftSecIntel) [September 24, 2020](<https://twitter.com/MsftSecIntel/status/1308941504707063808?ref_src=twsrc%5Etfw>)\n\nAnd the story is far from over. For example there is an article about new methods of exploiting this vulnerability that [doesn't require the change of the password](<https://dirkjanm.io/a-different-way-of-abusing-zerologon/>), so it will be harder to detect such exploitation.\n\n### EoPs in Microsoft Spooler (CVE-2020-1048) and Windows Update Orchestrator (CVE-2020-1313)\n\nSome more examples without so much hype. It's about an appearance of public exploits for\n\n * Microsoft Spooler Elevation of Privilege (CVE 2020-1048, [MSF:EXPLOIT/WINDOWS/LOCAL/CVE_2020_1048_PRINTERDEMON](<https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/LOCAL/CVE_2020_1048_PRINTERDEMON>)) from _Microsoft Patch Tuesday May 2020_\n * Microsoft Windows Update Orchestrator Elevation of Privilege (CVE-2020-1313, [PACKETSTORM:159305](<https://vulners.com/packetstorm/PACKETSTORM:159305>)) from _Microsoft Patch Tuesday June 2020_\n\nThis is interesting because all the Vulnerability Management vendors simply ignored these vulnerabilities in their Patch Tuesday reviews. ![\ud83d\ude09](https://s.w.org/images/core/emoji/13.0.1/72x72/1f609.png) Who could say that these two would be really exploitable among hundreds others?\n\n### Vulnerability prioritization is not a silver bullet\n\nI think it's just a good demonstration that vulnerability prioritization is not a silver bullet and if you want to protect your infrastructure, you should install all the patches on all the hosts or monitor security news carefully (and doing both is even better). For monitoring I use my own telegram channel [@avleonovnews](<https://t.me/avleonovnews>). It updates automatically, and the script not only shows news from different feeds, but also tries to highlight everything related to vulnerabilities, exploits, patches, etc. So, I invite you to check it out.\n\n## September 2020 Patch Tuesday\n\nNow let's finally look at the September vulnerabilities. There were 129 vulnerabilities: 23 of them were critical, 105 were important and 1 was moderate. There were no vulnerabilities with detected exploitation.\n\n### Exploitation more likely (7)\n\nThere were 7 vulnerabilities marked as "Exploitation more likely". But none of them were mentioned by Vulnerability Management vendors. Probably it's because there were no RCEs, only Elevation of Privilege and Information Disclosure. \n\n#### ![]( http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege\n\n * DirectX ([CVE-2020-1308](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1308>))\n * Windows Common Log File System Driver ([CVE-2020-1115](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1115>))\n * Windows Kernel ([CVE-2020-1245](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1245>))\n * Windows Win32k ([CVE-2020-1152](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1152>))\n\n#### ![]( http://www.avleonov.com/vulnicons/infdis.png)Information Disclosure\n\n * Active Directory ([CVE-2020-0664](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0664>), [CVE-2020-0856](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0856>))\n * Windows Kernel ([CVE-2020-0941](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0941>))\n\n### Other Product based (30)\n\nThe software products with the most vulnerabilities were Microsoft Dynamics 365 (On-Premise), Microsoft SharePoint and Windows Kernel. Vulnerability Management vendors focussed on Microsoft SharePoint Remote Code Execution vulnerabilities. There were 7 of them ([CVE-2020-1200](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1200>), [CVE-2020-1210](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1210>), [CVE-2020-1452](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1452>), [CVE-2020-1453](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1453>), [CVE-2020-1460](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1460>), [CVE-2020-1576](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1576>), [CVE-2020-1595](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1595>))! Only one, CVE-2020-1460, requires authentication. Rapid7 also mentions two rare "Tampering" SharePoint vulnerabilities ([CVE-2020-1440](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1440>), [CVE-2020-1523](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1523>)). "Fortunately, the description on this vulnerability does say prior authentication on an affected SharePoint Server is required, but with that in hand, an attacker can target specific users and alter the targets profile data."\n\n#### Microsoft Dynamics 365 (On-Premise)\n\n * ![]( http://www.avleonov.com/vulnicons/xss.png)Cross Site Scripting ([CVE-2020-16858](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16858>), [CVE-2020-16859](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16859>), [CVE-2020-16861](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16861>), [CVE-2020-16864](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16864>), [CVE-2020-16871](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16871>), [CVE-2020-16872](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16872>), [CVE-2020-16878](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16878>))\n\n#### Microsoft SharePoint\n\n * ![]( http://www.avleonov.com/vulnicons/rce.png)Remote Code Execution ([CVE-2020-1200](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1200>), [CVE-2020-1210](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1210>), [CVE-2020-1452](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1452>), [CVE-2020-1453](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1453>), [CVE-2020-1460](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1460>), [CVE-2020-1576](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1576>), [CVE-2020-1595](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1595>))\n * ![]( http://www.avleonov.com/vulnicons/xss.png)Cross Site Scripting ([CVE-2020-1198](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1198>), [CVE-2020-1227](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1227>), [CVE-2020-1345](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1345>), [CVE-2020-1482](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1482>), [CVE-2020-1514](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1514>), [CVE-2020-1575](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1575>))\n * ![]( http://www.avleonov.com/vulnicons/spoofing.png)Spoofing ([CVE-2020-1205](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1205>))\n * ![]( http://www.avleonov.com/vulnicons/tampering.png)Tampering ([CVE-2020-1440](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1440>), [CVE-2020-1523](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1523>))\n\n#### Windows Kernel\n\n * ![]( http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege ([CVE-2020-1034](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1034>))\n * ![]( http://www.avleonov.com/vulnicons/infdis.png)Information Disclosure ([CVE-2020-0928](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0928>), [CVE-2020-1033](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1033>), [CVE-2020-1250](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1250>), [CVE-2020-1589](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1589>), [CVE-2020-1592](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1592>), [CVE-2020-16854](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16854>))\n\n### Other Vulnerability Type based (92)\n\nAmong other vulnerabilities, the most interesting, of course, are various Remote Code Executions. \n\nA funny story happened with RCE in Microsoft Exchange Server ([CVE-2020-16875](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16875>)). All Vulnerability Management vendors marked it as top priority. But Microsoft later changed the description to indicate the bug can only be reached by an authenticated user. So, the risk became much lower. \n\nOther RCE groups mentioned by Vulnerability Management vendors:\n\n * Browser-related RCEs in Chakra Scripting Engine ([CVE-2020-1180](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1180>), [CVE-2020-1057](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1057>), [CVE-2020-1172](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1172>)), Microsoft Browser ([CVE-2020-0878](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0878>))\n * Office-related RCEs in Microsoft Excel ([CVE-2020-1193](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1193>), [CVE-2020-1332](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1332>), [CVE-2020-1335](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1335>), [CVE-2020-1594](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1594>)), Microsoft Word ([CVE-2020-1218](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1218>), [CVE-2020-1338](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1338>))\n * Microsoft Dynamics 365 (on-premises) ([CVE-2020-16860](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16860>), [CVE-2020-16862](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16862>), [CVE-2020-16857](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16857>)) \n * Windows systems components: Microsoft COM for Windows ([CVE-2020-0922](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0922>)), Microsoft Windows Codecs Library ([CVE-2020-1129](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1129>), [CVE-2020-1319](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1319>)), and simply Windows ([CVE-2020-1252](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1252>))\n\n#### ![]( http://www.avleonov.com/vulnicons/rce.png)Remote Code Execution\n\n * Active Directory ([CVE-2020-0718](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0718>), [CVE-2020-0761](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0761>))\n * Chakra Scripting Engine ([CVE-2020-1180](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1180>), [CVE-2020-1057](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1057>), [CVE-2020-1172](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1172>))\n * GDI+ ([CVE-2020-1285](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1285>))\n * Internet Explorer Browser Helper Object (BHO) ([CVE-2020-16884](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16884>))\n * Jet Database Engine ([CVE-2020-1039](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1039>), [CVE-2020-1074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1074>))\n * Microsoft Browser ([CVE-2020-0878](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0878>))\n * Microsoft COM for Windows ([CVE-2020-0922](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0922>))\n * Microsoft Dynamics 365 (on-premises) ([CVE-2020-16860](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16860>), [CVE-2020-16862](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16862>))\n * Microsoft Dynamics 365 for Finance and Operations (on-premises) ([CVE-2020-16857](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16857>))\n * Microsoft Excel ([CVE-2020-1193](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1193>), [CVE-2020-1332](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1332>), [CVE-2020-1335](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1335>), [CVE-2020-1594](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1594>))\n * Microsoft Exchange Server ([CVE-2020-16875](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16875>))\n * Microsoft Windows Codecs Library ([CVE-2020-1129](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1129>), [CVE-2020-1319](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1319>))\n * Microsoft Word ([CVE-2020-1218](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1218>), [CVE-2020-1338](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1338>))\n * Visual Studio ([CVE-2020-16856](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16856>), [CVE-2020-16874](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16874>))\n * Visual Studio JSON ([CVE-2020-16881](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16881>))\n * Windows ([CVE-2020-1252](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1252>))\n * Windows Camera Codec Pack ([CVE-2020-0997](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0997>))\n * Windows Media Audio Decoder ([CVE-2020-1508](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1508>), [CVE-2020-1593](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1593>))\n * Windows Text Service Module ([CVE-2020-0908](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0908>))\n\n#### ![]( http://www.avleonov.com/vulnicons/dos.png)Denial of Service\n\n * Windows DNS ([CVE-2020-0836](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0836>), [CVE-2020-1228](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1228>))\n * Windows Hyper-V ([CVE-2020-0890](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0890>), [CVE-2020-0904](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0904>))\n * Windows Routing Utilities ([CVE-2020-1038](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1038>))\n\n#### ![]( http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege\n\n * Connected User Experiences and Telemetry Service ([CVE-2020-1590](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1590>))\n * Diagnostics Hub Standard Collector ([CVE-2020-1130](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1130>), [CVE-2020-1133](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1133>))\n * DirectX ([CVE-2020-1053](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1053>))\n * Group Policy ([CVE-2020-1013](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1013>))\n * Microsoft COM for Windows ([CVE-2020-1507](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1507>))\n * Microsoft Store Runtime ([CVE-2020-0766](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0766>), [CVE-2020-1146](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1146>))\n * Microsoft splwow64 ([CVE-2020-0790](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0790>))\n * NTFS ([CVE-2020-0838](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0838>))\n * OneDrive for Windows ([CVE-2020-16851](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16851>), [CVE-2020-16852](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16852>), [CVE-2020-16853](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16853>))\n * Shell infrastructure component ([CVE-2020-0870](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0870>))\n * WinINet API ([CVE-2020-1012](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1012>))\n * Windows ([CVE-2020-1052](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1052>), [CVE-2020-1159](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1159>), [CVE-2020-1376](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1376>))\n * Windows CloudExperienceHost ([CVE-2020-1471](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1471>))\n * Windows Cryptographic Catalog Services ([CVE-2020-0782](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0782>))\n * Windows Function Discovery SSDP Provider ([CVE-2020-0912](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0912>))\n * Windows Function Discovery Service ([CVE-2020-1491](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1491>))\n * Windows Graphics Component ([CVE-2020-0998](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0998>))\n * Windows InstallService ([CVE-2020-1532](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1532>))\n * Windows Language Pack Installer ([CVE-2020-1122](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1122>))\n * Windows Modules Installer ([CVE-2020-0911](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0911>))\n * Windows Print Spooler ([CVE-2020-1030](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1030>))\n * Windows RSoP Service Application ([CVE-2020-0648](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0648>))\n * Windows Runtime ([CVE-2020-1169](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1169>), [CVE-2020-1303](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1303>))\n * Windows Shell Infrastructure Component ([CVE-2020-1098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1098>))\n * Windows Start-Up Application ([CVE-2020-1506](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1506>))\n * Windows Storage Services ([CVE-2020-0886](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0886>), [CVE-2020-1559](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1559>))\n * Windows UPnP Service ([CVE-2020-1598](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1598>))\n * Windows dnsrslvr.dll ([CVE-2020-0839](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0839>))\n\n#### ![]( http://www.avleonov.com/vulnicons/sf_bypass.png)Security Feature Bypass\n\n * Microsoft ASP.NET Core ([CVE-2020-1045](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045>))\n * Projected Filesystem ([CVE-2020-0805](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0805>))\n * SQL Server Reporting Services ([CVE-2020-1044](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1044>))\n * Windows Defender Application Control ([CVE-2020-0951](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0951>))\n\n#### ![]( http://www.avleonov.com/vulnicons/infdis.png)Information Disclosure\n\n * Microsoft Excel ([CVE-2020-1224](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1224>))\n * Microsoft Graphics Component ([CVE-2020-0921](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0921>), [CVE-2020-1083](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1083>))\n * Microsoft Office ([CVE-2020-16855](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16855>))\n * Microsoft splwow64 ([CVE-2020-0875](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0875>))\n * Projected Filesystem ([CVE-2020-16879](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16879>))\n * TLS ([CVE-2020-1596](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1596>))\n * Windows ([CVE-2020-1119](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1119>))\n * Windows DHCP Server ([CVE-2020-1031](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1031>))\n * Windows GDI ([CVE-2020-1256](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1256>))\n * Windows Graphics Component ([CVE-2020-1091](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1091>), [CVE-2020-1097](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1097>))\n * Windows Mobile Device Management Diagnostics ([CVE-2020-0989](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0989>))\n * Windows State Repository Service ([CVE-2020-0914](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0914>))\n\n#### ![]( http://www.avleonov.com/vulnicons/spoofing.png)Spoofing\n\n * ADFS ([CVE-2020-0837](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0837>))\n * Xamarin.Forms ([CVE-2020-16873](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16873>))\n\nWhat vulnerabilities of other types do VM vendors mention in their report?\n\nDenial of Service in Windows DNS ([CVE-2020-0836](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0836>), [CVE-2020-1228](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1228>)). "In order to exploit this issue, an authenticated attacker would need to send a crafted, malicious DNS query to an affected host, resulting in an exhaustion of resources causing the device to become unresponsive."\n\nSecurity Feature Bypass in Windows Defender Application Control ([CVE-2020-0951](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0951>)). Comment from ZDI expert: "An attacker with administrative privileges on a local machine could connect to a PowerShell session and send commands to execute arbitrary code. However, what\u2019s really interesting is that this is getting patched at all. Vulnerabilities that require administrative access to exploit typically do not get patches. I\u2019m curious about what makes this one different."\n\n![](http://feeds.feedburner.com/~r/avleonov/~4/dRwfLxvx9zU)", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-09-30T23:46:21", "type": "avleonov", "title": "Microsoft Patch Tuesday September 2020: Zerologon and other exploits, RCEs in SharePoint and Exchange", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0648", "CVE-2020-0664", "CVE-2020-0718", "CVE-2020-0761", "CVE-2020-0766", "CVE-2020-0782", "CVE-2020-0790", "CVE-2020-0805", "CVE-2020-0836", "CVE-2020-0837", "CVE-2020-0838", "CVE-2020-0839", "CVE-2020-0856", "CVE-2020-0870", "CVE-2020-0875", "CVE-2020-0878", "CVE-2020-0886", "CVE-2020-0890", "CVE-2020-0904", "CVE-2020-0908", "CVE-2020-0911", "CVE-2020-0912", "CVE-2020-0914", "CVE-2020-0921", "CVE-2020-0922", "CVE-2020-0928", "CVE-2020-0941", "CVE-2020-0951", "CVE-2020-0989", "CVE-2020-0997", "CVE-2020-0998", "CVE-2020-1012", "CVE-2020-1013", "CVE-2020-1030", "CVE-2020-1031", "CVE-2020-1033", "CVE-2020-1034", "CVE-2020-1038", "CVE-2020-1039", "CVE-2020-1044", "CVE-2020-1045", "CVE-2020-1048", "CVE-2020-1052", "CVE-2020-1053", "CVE-2020-1057", "CVE-2020-1074", "CVE-2020-1083", "CVE-2020-1091", "CVE-2020-1097", "CVE-2020-1098", "CVE-2020-1115", "CVE-2020-1119", "CVE-2020-1122", "CVE-2020-1129", "CVE-2020-1130", "CVE-2020-1133", "CVE-2020-1146", "CVE-2020-1152", "CVE-2020-1159", "CVE-2020-1169", "CVE-2020-1172", "CVE-2020-1180", "CVE-2020-1193", "CVE-2020-1198", "CVE-2020-1200", "CVE-2020-1205", "CVE-2020-1210", "CVE-2020-1218", "CVE-2020-1224", "CVE-2020-1227", "CVE-2020-1228", "CVE-2020-1245", "CVE-2020-1250", "CVE-2020-1252", "CVE-2020-1256", "CVE-2020-1285", "CVE-2020-1303", "CVE-2020-1308", "CVE-2020-1313", "CVE-2020-1319", "CVE-2020-1332", "CVE-2020-1335", "CVE-2020-1338", "CVE-2020-1345", "CVE-2020-1376", "CVE-2020-1440", "CVE-2020-1452", "CVE-2020-1453", "CVE-2020-1460", "CVE-2020-1471", "CVE-2020-1472", "CVE-2020-1482", "CVE-2020-1491", "CVE-2020-1506", "CVE-2020-1507", "CVE-2020-1508", "CVE-2020-1514", "CVE-2020-1523", "CVE-2020-1532", "CVE-2020-1559", "CVE-2020-1575", "CVE-2020-1576", "CVE-2020-1589", "CVE-2020-1590", "CVE-2020-1592", "CVE-2020-1593", "CVE-2020-1594", "CVE-2020-1595", "CVE-2020-1596", "CVE-2020-1598", "CVE-2020-16851", "CVE-2020-16852", "CVE-2020-16853", "CVE-2020-16854", "CVE-2020-16855", "CVE-2020-16856", "CVE-2020-16857", "CVE-2020-16858", "CVE-2020-16859", "CVE-2020-16860", "CVE-2020-16861", "CVE-2020-16862", "CVE-2020-16864", "CVE-2020-16871", "CVE-2020-16872", "CVE-2020-16873", "CVE-2020-16874", "CVE-2020-16875", "CVE-2020-16878", "CVE-2020-16879", "CVE-2020-16881", "CVE-2020-16884"], "modified": "2020-09-30T23:46:21", "id": "AVLEONOV:93A5CCFA19B815AE15942F533FFD65C4", "href": "http://feedproxy.google.com/~r/avleonov/~3/dRwfLxvx9zU/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}