Microsoft Patch Tuesday fixes 17 critical flaws, Windows zero‑day


The second Tuesday of the month brings another fresh batch of fixes for security vulnerabilities in various Microsoft products

It’s that time of the month again when Microsoft rolls out patches for security vulnerabilities in Windows and other software. This time round, the patch bundle brings fixes for no fewer than 112 security vulnerabilities, including a Windows zero-day bug that was disclosed last month and is being actively exploited in the wild.

The flaw, tracked as CVE-2020-17087 and ranked as “important” on the CVSS scale, resides in the Windows Kernel Cryptography Driver. It is an elevation of privilege vulnerability that could allow an attacker to perform a sandbox escape. The vulnerability is being exploited in tandem with another zero-day flaw, which is indexed as CVE-2020-15999 and affects FreeType, a software development library that is also a part of Google’s Chrome browser. Both security flaws were uncovered by Google’s Project Zero, and chaining them together could allow an attacker to compromise and gain administrator-level access to a system.

Beyond the zero-day, the latest round of updates also includes fixes for 17 security flaws that received the highest, “critical” rating. The vast majority of the rest were ranked as “important” and two were classified as “low” in severity.

Among those ranked as critical, one earned an ‘almost perfect score’ of 9.8 out of 10 on the CVSS scale. The vulnerability tracked as CVE-2020-17051 can be found in the Windows Network File System and is categorized as a remote code execution (RCE) flaw whose exploitation is “more likely”. There is another RCE vulnerability where exploitation is seen as “more likely” by the Redmond tech giant – the flaw affecting Microsoft SharePoint and indexed as CVE-2020-17061.

Security updates were released for a wide range of products, including Windows, Microsoft Office, both Internet Explorer and Edge browsers, as well as other products and services in Microsoft’s portfolio.

Both regular users and system administrators would be well advised to apply the patches as soon as practicable.





Source link