Microsoft security alert.
October 13, 2020
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 81 vulnerabilities that were fixed in 10 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 10 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft Windows Adobe Flash Player Security Update for October 2020 (ADV200012)
- Severity
- Critical 4
- Qualys ID
- 100411
- Vendor Reference
- ADV200012
- CVE Reference
- CVE-2020-9746
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
The update contains security fixes for Adobe Flash Player on Internet Explorer.
Affected Versions:
Windows 10, version 2004,Windows 10, version 1903 and 1909,Windows 10, version 1809 and Windows Server 2019,Windows 10, version 1803,Windows 10, version 1709,Windows 10, version 1703,Windows 10, version 1607 and Windows Server 2016,Windows 10 (initial version released July 2015),Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2,Windows Server 2012 with Adobe Flash Player version prior to N/A.QID Detection Logic:
This authenticated QID will flag if file version of %windir%\System32\Macromed\Flash\Flash.ocx is 32.0.0.433 and earlier. - Consequence
-
An attacker could exploit this vulnerability to compromise Confidentiality, Integrity and/or Availability.
- Solution
-
Customers are advised to follow 4580325 for instructions pertaining to the remediation of this vulnerability.
Workaround:
1. Prevent Adobe Flash Player from running You can disable attempts to instantiate Adobe Flash Player in Internet Explorer and other applications that honor the kill bit feature, such as Office 2007 and Office 2010, by setting the kill bit for the control in the registry.
2. Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
"Compatibility Flags"=dword:000004003. [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
Double-click the .reg file to apply it to an individual system.
You can also apply this workaround across domains by using Group Policy. For more information about Group Policy, see the TechNet article, Group Policy collection.Patches:
The following are links for downloading patches to fix these vulnerabilities:
ADV200012 WIndows
-
Microsoft SharePoint Foundation and SharePoint Server Update October 2020
- Severity
- Critical 4
- Qualys ID
- 110363
- Vendor Reference
- KB4484531, KB4486676, KB4486677, KB4486687, KB4486694, KB4486708
- CVE Reference
- CVE-2020-16929, CVE-2020-16941, CVE-2020-16942, CVE-2020-16944, CVE-2020-16945, CVE-2020-16946, CVE-2020-16948, CVE-2020-16950, CVE-2020-16951, CVE-2020-16952, CVE-2020-16953
- CVSS Scores
- Base 6.8 / Temporal 5.6
- Description
-
Microsoft has released October 2020 security updates to fix multiple security vulnerabilities.
This security update contains the following KBs:
KB4486708
KB4486677
KB4486676
KB4486694
KB4486687
KB4484531QID Detection Logic:
This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected SharePoint system. - Consequence
-
Successful exploitation allows an attacker to execute code remotely.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft SharePoint Foundation and SharePoint Server October 2020
-
Microsoft Office and Microsoft Office Services and Web Apps Security Update October 2020
- Severity
- Critical 4
- Qualys ID
- 110364
- Vendor Reference
- KB4462175, KB4484417, KB4484435, KB4484524, KB4486663, KB4486671, KB4486674, KB4486678, KB4486679, KB4486682, KB4486688, KB4486689, KB4486692, KB4486695, KB4486700, KB4486701, KB4486703, KB4486707
- CVE Reference
- CVE-2020-16918, CVE-2020-16928, CVE-2020-16929, CVE-2020-16930, CVE-2020-16931, CVE-2020-16932, CVE-2020-16933, CVE-2020-16934, CVE-2020-16947, CVE-2020-16949, CVE-2020-16954, CVE-2020-16955, CVE-2020-16957
- CVSS Scores
- Base 9.3 / Temporal 7.3
- Description
-
Microsoft has released October 2020 security updates to fix multiple security vulnerabilities.
This security update contains the following KBs:
KB4486695
KB4486707
KB4486663
KB4486678
KB4486692
KB4486703
KB4486701
KB4486674
KB4486671
KB4486679
KB4486689
KB4486682
KB4484524
KB4486700
KB4486688
KB4462175
KB4484417
KB4484435QID Detection Logic:
This authenticated QID checks the file versions from the Microsoft advisory with the versions on affected office system.Note: Office click-2-run and Office 365 installations need to be either updated manually or need to be set to automatic update. There is no direct download for the patch.
- Consequence
-
Successful exploitation allows an attacker to execute code remotely.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Office and Microsoft Office Services and Web Apps Security Update October 2020
-
Microsoft Windows TCP/IP ICMPv6 RDNSS Disabled
- Severity
- Minimal 1
- Qualys ID
- 45468
- Vendor Reference
- CVE-2020-16898
- CVE Reference
- N/A
- CVSS Scores
- Base / Temporal
- Description
-
The host has "ICMPv6 RDNSS" disabled in the Windows TCP/IP settings.
QID Detection Logic (Authenticated):
This QID executes powershell command "netsh int ipv6 show interfaces level=verbose | Select-String -Pattern 'IfIndex\s+: ([2-9]|[0-9]{2,})' -Context 1,3000" , This QID will only flag when all interfaces except loopback have RDNSS disabled.NOTE: You may see this QID is supported by remote scanner (Appliance scan) and Cloud Agent in UI, but it is supported by Cloud Agent only.
- Consequence
- N/A
- Solution
- Use powershell command "netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable" to disable RDNSS.
-
Microsoft Exchange Server Security Update for October 2020
- Severity
- Serious 3
- Qualys ID
- 50102
- Vendor Reference
- KB4581424
- CVE Reference
- CVE-2020-16969
- CVSS Scores
- Base 4.3 / Temporal 3.2
- Description
-
An information disclosure vulnerability exists in how Microsoft Exchange validates tokens when handling certain messages.
The security update corrects the way that Exchange handles these token validations.
Affected Software:
Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft Exchange Server 2016 Cumulative Update 17
Microsoft Exchange Server 2016 Cumulative Update 18
Microsoft Exchange Server 2019 Cumulative Update 6
Microsoft Exchange Server 2019 Cumulative Update 7KB articles covered: 4581424.
QID Detection Logic (authenticated):
The QID checks for the version of file Exsetup.exe if it is lesser than:
The version for Microsoft Exchange Server 2013 Cumulative Update 23 is
The version for Microsoft Exchange Server 2016 Cumulative Update 17 is
The version for Microsoft Exchange Server 2016 Cumulative Update 18 is
The version for Microsoft Exchange Server 2019 Cumulative Update 6 is
The version for Microsoft Exchange Server 2019 Cumulative Update 7 is - Consequence
-
Successful exploitation allows an attacker to leverage this vulnerability and gain further information from a user.
- Solution
-
Customers are advised to refer to CVE-2020-16969 for information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB4581424
-
Microsoft .NET Framework Security Updates for October 2020
- Severity
- Critical 4
- Qualys ID
- 91682
- Vendor Reference
- KB4578968, KB4578969, KB4578971, KB4578972, KB4578974, KB4579976, KB4579977, KB4579978, KB4579979, KB4579980, KB4580327, KB4580328, KB4580330, KB4580467, KB4580468, KB4580469, KB4580470
- CVE Reference
- CVE-2020-16937
- CVSS Scores
- Base 4.3 / Temporal 3.2
- Description
-
An information disclosure vulnerability exists when the .NET Framework improperly handles objects in memory.
KB4578968,KB4578969,KB4578971,KB4578972,KB4578974,KB4579976,KB4579977,KB4579978,KB4579979,KB4579980,KB4580327,KB4580328,KB4580330,KB4580467,KB4580468,KB4580469,KB4580470 kbs are covered.
This security update is rated Important for supported versions of Microsoft .NET Framework.
.NET Framework 2.0, 3.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 and 4.8
QID Detection Logic (Authenticated):
- Checks for vulnerable version of System.security.dll for .Net Framework
- Consequence
- An attacker who successfully exploited the vulnerability can disclose contents of an affected system's memory.
- Solution
-
Customers are advised to refer to CVE-2020-16937 for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2020-16937
-
Microsoft Windows Security Update for October 2020
- Severity
- Critical 4
- Qualys ID
- 91683
- Vendor Reference
- KB4577668, KB4577671, KB4579311, KB4580327, KB4580328, KB4580330, KB4580345, KB4580346, KB4580347, KB4580353, KB4580358, KB4580378, KB4580382, KB4580385, KB4580387
- CVE Reference
- CVE-2020-0764, CVE-2020-1047, CVE-2020-1080, CVE-2020-1167, CVE-2020-1243, CVE-2020-16863, CVE-2020-16876, CVE-2020-16877, CVE-2020-16885, CVE-2020-16887, CVE-2020-16889, CVE-2020-16890, CVE-2020-16891, CVE-2020-16892, CVE-2020-16894, CVE-2020-16895, CVE-2020-16896, CVE-2020-16897, CVE-2020-16899, CVE-2020-16900, CVE-2020-16901, CVE-2020-16902, CVE-2020-16905, CVE-2020-16907, CVE-2020-16909, CVE-2020-16910, CVE-2020-16911, CVE-2020-16912, CVE-2020-16913, CVE-2020-16914, CVE-2020-16915, CVE-2020-16916, CVE-2020-16919, CVE-2020-16920, CVE-2020-16921, CVE-2020-16922, CVE-2020-16923, CVE-2020-16924, CVE-2020-16927, CVE-2020-16935, CVE-2020-16936, CVE-2020-16938, CVE-2020-16939, CVE-2020-16940, CVE-2020-16967, CVE-2020-16968, CVE-2020-16972, CVE-2020-16973, CVE-2020-16974, CVE-2020-16975, CVE-2020-16976, CVE-2020-16980
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
Microsoft releases the security update for Windows October 2020
The KB Articles associated with the update:
KB4580385
KB4577668
KB4580358
KB4580353
KB4580378
KB4580347
KB4580387
KB4580346
KB4580330
KB4580382
KB4580345
KB4577671
KB4580327
KB4580328
KB4579311
QID Detection Logic (Authenticated):
This QID checks for the file version of ntoskrnl.exe
The following versions of ntoskrnl.exe with their corresponding KBs are verified:
KB4580385 - 6.0.6003.20953
KB4577668 - 10.0.17763.1518
KB4580358 - 6.3.9600.19846
KB4580353 - 6.2.9200.23179
KB4580378 - 6.0.6003.20953
KB4580347 - 6.3.9600.19846
KB4580387 - 6.1.7601.24561
KB4580346 - 10.0.14393.3986
KB4580330 - 10.0.17134.1792
KB4580382 - 6.2.9200.23179
KB4580345 - 6.1.7601.24561
KB4577671 - 10.0.18362.1139
KB4580327 - 10.0.10240.18725
KB4580328 - 10.0.16299.2166
KB4579311 - 10.0.19041.572
- Consequence
- An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.
- Solution
-
Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide Windows
-
Microsoft Windows Servicing Stack Security Update October 2020
- Severity
- Medium 2
- Qualys ID
- 91684
- Vendor Reference
- ADV990001
- CVE Reference
- N/A
- CVSS Scores
- Base 3.7 / Temporal 2.7
- Description
-
Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
Microsoft has released Servicing Stack security updates for Windows.
QID Detection Logic (Authenticated):
This authenticated QID will check for file version of CbsCore.dll - Consequence
-
Successful exploitation may allow unauthorized disclosure of information, unauthorized modification or disruption of service.
- Solution
-
Customers are advised to refer to advisory ADV990001 for more information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
ADV990001
-
Microsoft Dynamics 365 Security Update for October 2020
- Severity
- Critical 4
- Qualys ID
- 91685
- Vendor Reference
- KB4578105, KB4578106
- CVE Reference
- CVE-2020-16956, CVE-2020-16978
- CVSS Scores
- Base 3.5 / Temporal 2.6
- Description
-
The following vulnerabilities exist in Microsoft Dynamics 365 (on-premises) and Dynamics 365 Commerce:
CVE-2020-16956, CVE-2020-16978: A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server.Affected Versions:
Microsoft Dynamics 365 (on-premises) version 8.2
Microsoft Dynamics 365 (on-premises) version 9.0KB Articles: KB4578105, KB4578106
QID Detection Logic:
This authenticated QID flags vulnerable systems by detecting Microsoft.Crm.Setup.Server.exe versions lesser than:
Microsoft Dynamics 365 (on-premises) version 8.2: 8.2.23.16
Microsoft Dynamics 365 (on-premises) version 9.0: 9.0.21.8 - Consequence
- Depending on the vulnerability being exploited, an attacker to conduct cross-site scripting attacks or update data without proper authorization.
- Solution
-
Customers are advised to refer to KB4578105, KB4578106, for more details pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB4578105
KB4578106
Release Notes
-
Microsoft Windows TCP/IP Remote Code Execution Vulnerability
- Severity
- Urgent 5
- Qualys ID
- 91686
- Vendor Reference
- CVE-2020-16898
- CVE Reference
- CVE-2020-16898
- CVSS Scores
- Base 5.8 / Temporal 4.6
- Description
-
A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets.
The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.
QID Detection Logic (Authenticated):
This QID checks for the file version of ntoskrnl.exe
The following versions of "tcpip.sys" with their corresponding KBs are verified:
KB4577668 - 10.0.17763.1518
KB4577671 - 10.0.18362.1139
KB4579311 - 10.0.19041.572
KB4580328 - 10.0.16299.2166
KB4580330 - 10.0.17134.1792
- Consequence
- An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.
- Solution
-
Please refer to the CVE-2020-16898 for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2020-16898 WIndows
These new vulnerability checks are included in Qualys vulnerability signature 2.5.6-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 100411
- 110363
- 110364
- 45468
- 50102
- 91682
- 91683
- 91684
- 91685
- 91686
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.