Cloud Platform
Support
Contact us

Microsoft security alert.

October 13, 2020

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Qualys Cloud Platform to protect organizations against 81 vulnerabilities that were fixed in 10 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.

Vulnerability details

Microsoft has released 10 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

  • Microsoft Windows Adobe Flash Player Security Update for October 2020 (ADV200012)

    Severity
    Critical 4
    Qualys ID
    100411
    Vendor Reference
    ADV200012
    CVE Reference
    CVE-2020-9746
    CVSS Scores
    Base 9.3 / Temporal 6.9
    Description
    The update contains security fixes for Adobe Flash Player on Internet Explorer.

    Affected Versions:
    Windows 10, version 2004,Windows 10, version 1903 and 1909,Windows 10, version 1809 and Windows Server 2019,Windows 10, version 1803,Windows 10, version 1709,Windows 10, version 1703,Windows 10, version 1607 and Windows Server 2016,Windows 10 (initial version released July 2015),Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2,Windows Server 2012 with Adobe Flash Player version prior to N/A.

    QID Detection Logic:
    This authenticated QID will flag if file version of %windir%\System32\Macromed\Flash\Flash.ocx is 32.0.0.433 and earlier.

    Consequence

    An attacker could exploit this vulnerability to compromise Confidentiality, Integrity and/or Availability.

    Solution
    Customers are advised to follow 4580325 for instructions pertaining to the remediation of this vulnerability.

    Workaround:
    1. Prevent Adobe Flash Player from running You can disable attempts to instantiate Adobe Flash Player in Internet Explorer and other applications that honor the kill bit feature, such as Office 2007 and Office 2010, by setting the kill bit for the control in the registry.
    2. Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
    "Compatibility Flags"=dword:00000400

    3. [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
    "Compatibility Flags"=dword:00000400
    Double-click the .reg file to apply it to an individual system.
    You can also apply this workaround across domains by using Group Policy. For more information about Group Policy, see the TechNet article, Group Policy collection.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    ADV200012 WIndows

  • Microsoft SharePoint Foundation and SharePoint Server Update October 2020

    Severity
    Critical 4
    Qualys ID
    110363
    Vendor Reference
    KB4484531, KB4486676, KB4486677, KB4486687, KB4486694, KB4486708
    CVE Reference
    CVE-2020-16929, CVE-2020-16941, CVE-2020-16942, CVE-2020-16944, CVE-2020-16945, CVE-2020-16946, CVE-2020-16948, CVE-2020-16950, CVE-2020-16951, CVE-2020-16952, CVE-2020-16953
    CVSS Scores
    Base 6.8 / Temporal 5.3
    Description
    Microsoft has released October 2020 security updates to fix multiple security vulnerabilities.

    This security update contains the following KBs:

    KB4486708
    KB4486677
    KB4486676
    KB4486694
    KB4486687
    KB4484531

    QID Detection Logic:
    This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected SharePoint system.

    Consequence
    Successful exploitation allows an attacker to execute code remotely.

    Solution
    Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft SharePoint Foundation and SharePoint Server October 2020

  • Microsoft Office and Microsoft Office Services and Web Apps Security Update October 2020

    Severity
    Critical 4
    Qualys ID
    110364
    Vendor Reference
    KB4462175, KB4484417, KB4484435, KB4484524, KB4486663, KB4486671, KB4486674, KB4486678, KB4486679, KB4486682, KB4486688, KB4486689, KB4486692, KB4486695, KB4486700, KB4486701, KB4486703, KB4486707
    CVE Reference
    CVE-2020-16918, CVE-2020-16928, CVE-2020-16929, CVE-2020-16930, CVE-2020-16931, CVE-2020-16932, CVE-2020-16933, CVE-2020-16934, CVE-2020-16947, CVE-2020-16949, CVE-2020-16954, CVE-2020-16955, CVE-2020-16957
    CVSS Scores
    Base 9.3 / Temporal 6.9
    Description
    Microsoft has released October 2020 security updates to fix multiple security vulnerabilities.

    This security update contains the following KBs:
    KB4486695
    KB4486707
    KB4486663
    KB4486678
    KB4486692
    KB4486703
    KB4486701
    KB4486674
    KB4486671
    KB4486679
    KB4486689
    KB4486682
    KB4484524
    KB4486700
    KB4486688
    KB4462175
    KB4484417
    KB4484435

    QID Detection Logic:
    This authenticated QID checks the file versions from the Microsoft advisory with the versions on affected office system.

    Consequence
    Successful exploitation allows an attacker to execute code remotely.

    Solution
    Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Office and Microsoft Office Services and Web Apps Security Update October 2020

  • Microsoft Windows TCP/IP ICMPv6 RDNSS Disabled

    Severity
    Minimal 1
    Qualys ID
    45468
    Vendor Reference
    CVE-2020-16898
    CVE Reference
    N/A
    CVSS Scores
    Base / Temporal
    Description
    The host has "ICMPv6 RDNSS" disabled in the Windows TCP/IP settings.

    QID Detection Logic (Authenticated):
    This QID executes powershell command "netsh int ipv6 show interfaces level=verbose | Select-String -Pattern 'IfIndex\s+: ([2-9]|[0-9]{2,})' -Context 1,3000" , This QID will only flag when all interfaces except loopback have RDNSS disabled.

    NOTE: You may see this QID is supported by remote scanner (Appliance scan) and Cloud Agent in UI, but it is supported by Cloud Agent only.

    Consequence
    N/A
    Solution
    Use powershell command "netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable" to disable RDNSS.
  • Microsoft Exchange Server Security Update for October 2020

    Severity
    Serious 3
    Qualys ID
    50102
    Vendor Reference
    KB4581424
    CVE Reference
    CVE-2020-16969
    CVSS Scores
    Base 4.3 / Temporal 3.2
    Description
    An information disclosure vulnerability exists in how Microsoft Exchange validates tokens when handling certain messages.

    The security update corrects the way that Exchange handles these token validations.

    Affected Software:
    Microsoft Exchange Server 2013 Cumulative Update 23
    Microsoft Exchange Server 2016 Cumulative Update 17
    Microsoft Exchange Server 2016 Cumulative Update 18
    Microsoft Exchange Server 2019 Cumulative Update 6
    Microsoft Exchange Server 2019 Cumulative Update 7

    KB articles covered: 4581424.

    QID Detection Logic (authenticated):
    The QID checks for the version of file Exsetup.exe if it is lesser than:
    The version for Microsoft Exchange Server 2013 Cumulative Update 23 is
    The version for Microsoft Exchange Server 2016 Cumulative Update 17 is
    The version for Microsoft Exchange Server 2016 Cumulative Update 18 is
    The version for Microsoft Exchange Server 2019 Cumulative Update 6 is
    The version for Microsoft Exchange Server 2019 Cumulative Update 7 is

    Consequence
    Successful exploitation allows an attacker to leverage this vulnerability and gain further information from a user.

    Solution
    Customers are advised to refer to CVE-2020-16969 for information pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB4581424

  • Microsoft .NET Framework Security Updates for October 2020

    Severity
    Critical 4
    Qualys ID
    91682
    Vendor Reference
    KB4578968, KB4578969, KB4578971, KB4578972, KB4578974, KB4579976, KB4579977, KB4579978, KB4579979, KB4579980, KB4580327, KB4580328, KB4580330, KB4580346, KB4580467, KB4580468, KB4580469, KB4580470
    CVE Reference
    CVE-2020-16937
    CVSS Scores
    Base 4.3 / Temporal 3.4
    Description
    An information disclosure vulnerability exists when the .NET Framework improperly handles objects in memory.

    KB4578968,KB4578969,KB4578971,KB4578972,KB4578974,KB4579976,KB4579977,KB4579978,KB4579979,KB4579980,KB4580327,KB4580328,KB4580330,KB4580346,KB4580467,KB4580468,KB4580469,KB4580470 kbs are covered.

    This security update is rated Important for supported versions of Microsoft .NET Framework.

    .NET Framework 2.0, 3.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 and 4.8

    QID Detection Logic (Authenticated):
    - Checks for vulnerable version of System.security.dll for .Net Framework

    Consequence
    An attacker who successfully exploited the vulnerability can disclose contents of an affected system's memory.
    Solution
    Customers are advised to refer to CVE-2020-16937 for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2020-16937

  • Microsoft Windows Security Update for October 2020

    Severity
    Critical 4
    Qualys ID
    91683
    Vendor Reference
    KB4577668, KB4577671, KB4579311, KB4580327, KB4580328, KB4580330, KB4580345, KB4580346, KB4580347, KB4580353, KB4580358, KB4580378, KB4580382, KB4580385, KB4580387
    CVE Reference
    CVE-2020-0764, CVE-2020-1047, CVE-2020-1080, CVE-2020-1167, CVE-2020-1243, CVE-2020-16863, CVE-2020-16876, CVE-2020-16877, CVE-2020-16885, CVE-2020-16887, CVE-2020-16889, CVE-2020-16890, CVE-2020-16891, CVE-2020-16892, CVE-2020-16894, CVE-2020-16895, CVE-2020-16896, CVE-2020-16897, CVE-2020-16899, CVE-2020-16900, CVE-2020-16901, CVE-2020-16902, CVE-2020-16905, CVE-2020-16907, CVE-2020-16909, CVE-2020-16910, CVE-2020-16911, CVE-2020-16912, CVE-2020-16913, CVE-2020-16914, CVE-2020-16915, CVE-2020-16916, CVE-2020-16919, CVE-2020-16920, CVE-2020-16921, CVE-2020-16922, CVE-2020-16923, CVE-2020-16924, CVE-2020-16927, CVE-2020-16935, CVE-2020-16936, CVE-2020-16938, CVE-2020-16939, CVE-2020-16940, CVE-2020-16967, CVE-2020-16968, CVE-2020-16972, CVE-2020-16973, CVE-2020-16974, CVE-2020-16975, CVE-2020-16976, CVE-2020-16980
    CVSS Scores
    Base 9.3 / Temporal 6.9
    Description
    Microsoft releases the security update for Windows October 2020

    The KB Articles associated with the update:
    KB4580385
    KB4577668
    KB4580358
    KB4580353
    KB4580378
    KB4580347
    KB4580387
    KB4580346
    KB4580330
    KB4580382
    KB4580345
    KB4577671
    KB4580327
    KB4580328
    KB4579311

    QID Detection Logic (Authenticated):

    This QID checks for the file version of ntoskrnl.exe

    The following versions of ntoskrnl.exe with their corresponding KBs are verified:
    KB4580385 - 6.0.6003.20953
    KB4577668 - 10.0.17763.1518
    KB4580358 - 6.3.9600.19846
    KB4580353 - 6.2.9200.23179
    KB4580378 - 6.0.6003.20953
    KB4580347 - 6.3.9600.19846
    KB4580387 - 6.1.7601.24561
    KB4580346 - 10.0.14393.3986
    KB4580330 - 10.0.17134.1792
    KB4580382 - 6.2.9200.23179
    KB4580345 - 6.1.7601.24561
    KB4577671 - 10.0.18362.1139
    KB4580327 - 10.0.10240.18725
    KB4580328 - 10.0.16299.2166
    KB4579311 - 10.0.19041.572

    Consequence
    An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.
    Solution
    Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide Windows

  • Microsoft Windows Servicing Stack Security Update October 2020

    Severity
    Medium 2
    Qualys ID
    91684
    Vendor Reference
    ADV990001
    CVE Reference
    N/A
    CVSS Scores
    Base 3.7 / Temporal 2.7
    Description
    Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.

    Microsoft has released Servicing Stack security updates for Windows.

    QID Detection Logic (Authenticated):
    This authenticated QID will check for file version of CbsCore.dll

    Consequence
    Successful exploitation may allow unauthorized disclosure of information, unauthorized modification or disruption of service.

    Solution
    Customers are advised to refer to advisory ADV990001 for more information.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    ADV990001

  • Microsoft Dynamics 365 Security Update for October 2020

    Severity
    Critical 4
    Qualys ID
    91685
    Vendor Reference
    KB4578105, KB4578106
    CVE Reference
    CVE-2020-16956, CVE-2020-16978
    CVSS Scores
    Base 3.5 / Temporal 2.6
    Description
    The following vulnerabilities exist in Microsoft Dynamics 365 (on-premises) and Dynamics 365 Commerce:
    CVE-2020-16956, CVE-2020-16978: A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server.

    Affected Versions:
    Microsoft Dynamics 365 (on-premises) version 8.2
    Microsoft Dynamics 365 (on-premises) version 9.0

    KB Articles: KB4578105, KB4578106

    QID Detection Logic:
    This authenticated QID flags vulnerable systems by detecting Microsoft.Crm.Setup.Server.exe versions lesser than:
    Microsoft Dynamics 365 (on-premises) version 8.2: 8.2.23.16
    Microsoft Dynamics 365 (on-premises) version 9.0: 9.0.21.8

    Consequence
    Depending on the vulnerability being exploited, an attacker to conduct cross-site scripting attacks or update data without proper authorization.
    Solution
    Customers are advised to refer to KB4578105, KB4578106, for more details pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB4578105
    KB4578106
    Release Notes

  • Microsoft Windows TCP/IP Remote Code Execution Vulnerability

    Severity
    Urgent 5
    Qualys ID
    91686
    Vendor Reference
    CVE-2020-16898
    CVE Reference
    CVE-2020-16898
    CVSS Scores
    Base 5.8 / Temporal 4.3
    Description
    A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets.

    The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.

    QID Detection Logic (Authenticated):

    This QID checks for the file version of ntoskrnl.exe

    The following versions of "tcpip.sys" with their corresponding KBs are verified:
    KB4577668 - 10.0.17763.1518
    KB4577671 - 10.0.18362.1139
    KB4579311 - 10.0.19041.572
    KB4580328 - 10.0.16299.2166
    KB4580330 - 10.0.17134.1792

    Consequence
    An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.
    Solution
    Please refer to the CVE-2020-16898 for more information pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2020-16898 WIndows

These new vulnerability checks are included in Qualys vulnerability signature 2.5.6-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 100411
    • 110363
    • 110364
    • 45468
    • 50102
    • 91682
    • 91683
    • 91684
    • 91685
    • 91686
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.

Access for Qualys Customers

Platforms and Platform Identification

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Qualys Cloud Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.