Microsoft fixed 87 security vulnerabilities in Windows and other software during its monthly Patch Tuesday update cycles. Twelve of the bugs fixed were identified as critical. There are no zero days among the fixed security vulnerabilities.
Of the 87 security vulnerabilities, 12 are rated “critical” by Microsoft. 74 are ‘important’ and 1 bug was ‘moderate’. There were no zero days among the bugs. Microsoft fixed the bugs in Windows, but also in Microsoft Office, Azure, the Windows Media Player, Adobe Flash Player and Visual Studio. Several bugs have also been fixed in the Windows kernel, although none of them were identified as critical.
Ten of the twelve critical problems enabled remote code execution. For example, a TCP / IP bug made it possible to execute code remotely. This could be exploited by attackers by sending an infected ICMPv6 package to a vulnerable system. McAfee published a blog post about the bug, which the company calls “Bad Neighbor.” According to a proof-of-concept published by McAfee, exploiting the bug is “extremely simple.”
Remote code execution was also possible through Outlook, and could be exploited by sending a special email. Victims only needed to show this infected e-mail in the preview window to install malware. CVE-2020-16911, which was included in the Windows Graphics Device Interface, further made it possible, for example, to create an infected website, which would allow attackers to execute code on visitors’ devices. CVE-2020-16891 allowed users of a Hyper-V virtual machine to run commands on the OS of the host system.
Microsoft is rolling out the updates to various Windows versions, such as Windows 10, Windows Server, and Windows 8.1. Extended security users of Windows 7 can also expect the update.