High Threat Security Alert (A20-10-01): Multiple Vulnerabilities in Microsoft Products (October 2020)

Description:

Microsoft has released security updates addressing multiple vulnerabilities which affect several Microsoft products or components. The list of security updates can be found at:

https://support.microsoft.com/en-us/help/20201013/security-update-deployment-information-october-13-2020

The proof-of-concept exploit against the remote code execution vulnerability (CVE-2020-16898) in Microsoft's Windows IPv6 stack has been observed. The vulnerability affects Windows 10, Windows Server 2019, and Windows Server, version 1903, version 1909 and version 2004. System administrators are advised to take immediate action to patch your affected systems to mitigate the elevated risk of cyber attacks.

Affected Systems:

• Microsoft Windows 7, 8.1, RT 8.1, 10
• Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019
• Microsoft Windows Server, version 1903, version 1909, version 2004
• Microsoft Office 2010, 2013, 2013 RT, 2016, 2016 for Mac, 2019, 2019 for Mac
• Microsoft Office Online Server
• Microsoft Office Web Apps 2010, 2013
• Microsoft Excel 2010, 2013, 2013 RT, 2016
• Microsoft Excel Web App 2010
• Microsoft Word 2010, 2013, 2013 RT, 2016
• Microsoft Exchange Server 2013, 2016, 2019
• Microsoft Outlook 2010, 2013, 2013 RT, 2016
• Microsoft Dynamics 365 (on-premises) version 8.2, 9.0
• Microsoft SharePoint Foundation 2010, 2013
• Microsoft SharePoint Enterprise Server 2013, 2016
• Microsoft SharePoint Server 2010, 2019
• Microsoft 365 Apps for Enterprise
• Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8
• 3D Viewer
• Azure Functions
• Dynamics 365 Commerce
• Network Watcher Agent virtual machine extension for Linux
• PowerShellGet 2.2.5
• Visual Studio Code

Impact:

Depending on the vulnerability exploited, a successful attack could lead to remote code execution, elevation of privilege, denial of service, information disclosure, security feature bypass and spoofing.

Recommendation:

Patches for affected products are available from the Windows Update / Microsoft Update Catalog. Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

More Information:

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Oct
https://www.hkcert.org/my_url/en/alert/20101401
https://us-cert.cisa.gov/ncas/current-activity/2020/10/13/microsoft-releases-october-2020-security-updates
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200012
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0764
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1047
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1080
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1167
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1243
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16863
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16876
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16877
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16885 (to CVE-2020-16887)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16889 (to CVE-2020-16892)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16894 (to CVE-2020-16902)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16904
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16905
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16907 (to CVE-2020-16916)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16918 (to CVE-2020-16924)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16927 (to CVE-2020-16957)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16967 (to CVE-2020-16969)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16972 (to CVE-2020-16978)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16980
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16995
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17003