November’s edition of Microsoft Patch Tuesday

In the latest Patch Tuesday release, Microsoft addressed 112 security flaws, one of which is a zero-day vulnerability that malicious third-party actors are already taking advantage of.

Out of the 112 security issues addressed, 17 were marked as critical, as they allow a user’s Windows-powered device to be taken over.

The most notorious security flaw is CVE-2020-17087, and it is already being exploited.

This is a critical privilege escalation flaw that allows for gaining administrative rights through a regular user account.

However, in order for this to work, it needs to be used in conjunction with another exploit.

The bad news is that Google researchers have spotted exactly the same thing occurring in the wild.

For this reason, the company released a Chrome browser update addressing a bug called CVE-2020-15999 that was exploited together with CVE-2020-17087 to target Windows users.

Microsoft’s advice regarding the new batch of fixes may look rather sparse.

This is due to the company restructuring its Common Vulnerability Scoring System (CVSS) format so that it aligns more closely with those employed by other major software vendors.

The downside of this is that the new format seems to be lacking crucial information regarding the following:

  • The scope of the vulnerability
  • The manner in which it can be exploited
  • The result of the exploitation

Microsoft explained the reasoning behind these changes in one of its recent blog posts, but many people are still unhappy with the new format.

Bob Huber, chief security officer at Tenable, is in favour of the new format, but admits that deciphering raw CVSS data may not be suitable for individuals who are not security practitioners.

Moreover, it makes it difficult to comprehend the urgency of a given patch.

In other news, Adobe has released fixes for 14 security flaws.

These address security issues in Adobe Acrobat and Adobe Reader.

No Adobe Flash Player fixes have been released so far.