Windows 10, Microsoft Office, Windows Defender and many other Microsoft software products are benefiting from the November 2020 Patch Tuesday. In all, more than 112 security vulnerabilities, 17 of which are considered critical, have been fixed via the patch.
Microsoft has just deployed patches for 112 security holes discovered in its products via the November 2020 Patch Tuesday. The update includes a solution against the particularly dangerous zero-day vulnerability discovered by Google Project Zero last week. 17 of the vulnerabilities addressed by the November Patch Tuesday are considered "critical", i.e. particularly serious.
93 of them are classified as "Important" and two are of low severity. This still brings the total to over 110 after an October Patch Tuesday that corrected 87 vulnerabilities. Microsoft explains that the bugs affected by this Patch Tuesday concern the following products:
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- Internet Explorer
- Microsoft Edge (EdgeHTML)
- Microsoft Edge (Chromium)
- Microsoft Exchange Server
- Microsoft Dynamics
- Microsoft Windows Codecs Library
- Azure Sphere
- Windows Defender
- Microsoft Teams
- Azure SDK
- Azure DevOps
- Visual Studio
Microsoft fixes no less than 117 security flaws, including 17 critical ones.
The worst of these security flaws is undoubtedly the CVE-2020-17087 flaw, which scored 7.8 (on a scale of 10). This is a buffer overflow vulnerability that can allow an attacker, in conjunction with another Google Chrome vulnerability, to execute arbitrary code with increased privileges.
In addition to this Patch Tuesday, we note that Chrome also benefits from an update to address this flaw. Other security issues include a large number of vulnerabilities such as Remote Code Execution (RCE) on Exchange Server, Network File System, Microsoft Teams, as well as in the Windows Hyper-V virtualization platform.
The most severe of these vulnerabilities appears to be the Network File System (CVE-2020-17051), which has a CVSS score of 9.8. Microsoft nevertheless notes that due to the complexity of a possible attack exploiting this flaw, its actual severity is rather low. Other vulnerabilities include memory corruption in Microsoft Scripting Engine, Internet Explorer (CVE-2020-17053) and remote code execution vulnerabilities in the HEVC codec library.
For the rest, Microsoft is rather discreet about how the flaws in this Patch Tuesday could be exploited, and their effects on the machine. Because of the extent and severity of the flaws, however, it seems essential to keep your machine up to date. For this, on Windows 10 :
Go to Start > Settings > Updates and Security > Windows Update
Click Check for Updates
The update will be offered as soon as it is available on your machine.