Microsoft on Tuesday issued fixes for 87 newly discovered security vulnerabilities as part of its October 2020 Patch Tuesday, including two critical remote code execution (RCE) flaws in Windows TCP/IP stack and Microsoft Outlook.
The flaws, 11 of which are categorized as Critical, 75 are ranked Important, and one is classified Moderate in severity, affect Windows, Office and Office Services and Web Apps, Visual Studio, Azure Functions, .NET Framework, Microsoft Dynamics, Open Source Software, Exchange Server, and the Windows Codecs Library.
Although none of these flaws are listed as being under active attack, six vulnerabilities are listed as publicly known at the time of release.
Chief among the most critical bugs patched this month include CVE-2020-16898 (CVSS score 9.8). According to Microsoft, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer to exploit the RCE flaw in the TCP/IP stack to execute arbitrary code on the target client or server.
According to McAfee security experts, ‘this type of bug could be made wormable,’ allowing hackers to launch an attack that can spread from one vulnerable computer to another without any human interaction.
images from Hacker News