It’s Cyber Security Awareness Month! In accordance with this theme, if you (ab) use Microsoft Windows computers, you should know that the company today shipped a host of software updates to fix at least 87 security issues in Windows and the programs that run on the operating system. This means it’s time to save and repair again.
Eleven of these vulnerabilities received the most disastrous “critical” rating from Microsoft, meaning bad guys or malware could use them to gain complete control of an unpatched system with little to no user help. .
The worst in terms of outright dread is probably CVE-2020-16898, which is a nasty bug in Windows 10 and Windows Server 2019 which could be abused to install malware simply by sending a malformed data packet to a vulnerable system. CVE-2020-16898 got a CVSS score of 9.8 (10 is the most horrible).
Security provider Mcafee nicknamed the flaw “Bad neighbor“, And in a blog post about it, said that a proof of concept exploit shared by Microsoft with its partners appears to be” both extremely simple and perfectly reliable “, noting that this sucker is imminently” deworming ” – that is, capable of being militarized into a threat that spreads very quickly within networks.
“This results in an immediate BSOD (Blue Screen of Death), but more so indicates the likelihood of exploitation for those who manage to bypass Windows 10 and Windows Server 2019 mitigations,” McAfee’s Steve povolny wrote. “The effects of an exploit that allowed remote code execution would be widespread and very powerful, as this type of bug could become deworming.”
Trend Micro Zero Day Initiative (ZDI) draws special attention to another critical bug rolled back in this month’s patch bundle: CVE-2020-16947, which is an issue with Microsoft Outlook which could cause malware to load on a system simply by previewing malicious email in Outlook.
“The preview pane is an attack vector here, so you don’t even have to open mail to be impacted,” ZDI said. Dustin Childs.
While there don’t appear to be zero-day flaws in Microsoft’s October release, Todd Schell of Ivanti points out that a half-dozen of these flaws have been publicly disclosed before today, which means the bad guys have had a good start in being able to research and design working exploits.
Other fixes released today address issues with Exchange server, Visual studio, .NET Framework, and a whole mess of other core Windows components.
For all those who wanted a Flash player patch Adobe, your days of waiting are over. After several months of depriving us of Flash patches, Adobe has dispatched an update that fixes a single – albeit critical – flaw in the program that crooks could use to install malicious material on your computer simply by tricking you into a hacked or malicious website.
Chromium and Firefox both now disable Flash by default, and Chrome and IE / Edge automatically update the program when new security updates are available. Fortunately, Adobe is expected to withdraw Flash Player later this year, and Microsoft has announced plans to release updates later this year that will remove Flash from Windows machines.
It’s a good idea for Windows users to get into the habit of updating at least once a month, but for regular users (read: not businesses) it’s generally safe to wait a few days afterward. the release of fixes, so that Microsoft has time. to iron out the loopholes in the new armor.
But before updating, please make sure you have backed up your system and / or important files. It is not uncommon for a Windows update package to water its system or prevent it from starting properly, and some updates are even known to erase or corrupt files.
So do yourself a favor and back up before you install any fixes. Windows 10 even has built-in tools to help you do this, either by file / folder or by making a full, bootable copy of your hard drive at the same time.
And if you want to make sure that Windows has been configured to pause updating so that you can back up your files and / or your system before the operating system decides to restart and install the fixes on its own schedule, check out this guide.
As always, if you have any issues or issues installing any of these fixes this month, please consider leaving a comment about it below; there is a better chance that even other readers have been through the same thing and can provide some useful advice here.
Tags: CVE-2020-16898, CVE-2020-16947, Dustin Childs, Patch Flash Player, Ivanti, mcafee, Microsoft Patch Tuesday October 2020, Steve Povolny, Todd Schell, trend micro, Zero Day Initiative