Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Microsoft Patches Several Publicly Disclosed Windows Vulnerabilities

Microsoft has fixed nearly 90 vulnerabilities with its October 2020 Patch Tuesday updates and while none of them has been exploited in attacks, several of the flaws were publicly disclosed before the patches were released.

Microsoft has fixed nearly 90 vulnerabilities with its October 2020 Patch Tuesday updates and while none of them has been exploited in attacks, several of the flaws were publicly disclosed before the patches were released.

The publicly disclosed vulnerabilities have been classified as important severity and their exploitation can lead to information disclosure or privilege escalation. A majority impact Windows and one affects the .NET framework.

The .NET vulnerability allows an authenticated attacker to access the targeted system’s memory, specifically memory layout. Exploitation requires executing a specially crafted application.

Another disclosed flaw impacts the Windows Error Reporting (WER) component and it can be leveraged for privilege escalation. While this particular weakness does not appear to have been exploited, Malwarebytes reported earlier this month that it had spotted an attack in which the payload was injected into the WER service to evade defenses.

Two of the disclosed vulnerabilities affect the Windows kernel. An authenticated attacker could exploit them to obtain information that can be useful to further compromise impacted systems.

One of the flaws whose details have been made public impacts Windows 10 Setup and it can only be exploited for privilege escalation by a local attacker while the computer is upgrading to a newer version of Windows.

The last disclosed issue impacts the Windows Storage VSP Driver and it can allow an authenticated attacker to escalate privileges.

Nearly a dozen of the vulnerabilities patched by Microsoft this month have been rated critical. They impact Windows, Outlook, the Base3D rendering engine, and SharePoint. They can all lead to remote code execution.

One interesting security bug that has been rated critical is CVE-2020-16947, which affects Outlook and allows an attacker to execute arbitrary code by sending a specially crafted email to the targeted user.

“The Preview Pane is an attack vector here, so you don’t even need to open the mail to be impacted,” explained the Zero Day Initiative’s Dustin Childs. “The specific flaw exists within the parsing of HTML content in an email. The issue results from the lack of proper validation of the length of user-supplied data before copying it to a fixed-length heap-based buffer. Although Microsoft gives this an XI rating of 2, we have a working proof-of-concept. Patch this one quickly.”

Another noteworthy vulnerability that was patched this month is CVE-2020-16898, which is related to how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets. An attacker can exploit the flaw for code execution on a server or client by sending specially crafted packets to the targeted device.

Bharat Jogi, senior manager of vulnerability and threat research at Qualys, warned that this flaw could be wormable.

“An attacker can exploit this vulnerability without any authentication, and it is potentially wormable,” Jogi said in an emailed comment. “We expect a PoC for this exploit would be dropped soon, and we highly encourage everyone to fix this vulnerability as soon as possible. Microsoft has also provided a workaround for this vulnerability and strongly recommends installing updates for this vulnerability quickly.”

It’s worth noting that the number of vulnerabilities fixed this Patch Tuesday is slightly smaller compared to the previous months. Between March and September, the number of patched vulnerabilities never dropped below 110.

Todd Schell, senior product manager for security at Ivanti, pointed out that there do not appear to be any Edge or Internet Explorer patches this month. “Not sure I remember the last time that has happened,” he told SecurityWeek.

Adobe’s October 2020 Patch Tuesday updates only address one critical code execution vulnerability in Flash Player.

Related: Microsoft Patches Actively Exploited Windows, IE Vulnerabilities

Related: Zerologon Chained With Fortinet, MobileIron Vulnerabilities in U.S. Government Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet