Packet pwnage peril
Microsoft has resolved a critical vulnerability in the Windows TCP/IP stack that, if left unresolved, creates a mechanism for attackers to inject malware on vulnerable systems using tainted traffic.
The vulnerability (CVE-20202-16898) arises from flaws in handling ICMPv6 Router Advertisement packets. The security flaw – which affects Windows 10 and Windows Server 2019, among other supported systems – scores 9.8 on the CVSSv3 scale, or just a shade below the highest possible rating.
‘Godzilla of bugs’
Travis Biehn, technical strategist at Synopsys, described it as the “Godzilla of bugs”.
“Unpatched systems are vulnerable by default,” Biehn commented. “I strongly encourage system administrators to patch all affected systems immediately.
“While we’re unaware of any working exploits at this time, APT’s around the globe are undoubtedly having a sleepless night racing to weaponize this bug.”
Enterprises that have already rolled out support for IPv6 need to proceed directly towards applying patches, according to other experts.
Dustin Childs of Trend Micro’s Zero Day Initiative added: “If you’re running an IPv6 network, you know that filtering router advertisements is not a practical workaround.
“Microsoft also gives this bug its highest exploitability rating, so exploits are likely. You should definitely test and deploy this patch as soon as possible.”
Microsoft released patches for 87 CVEs as part of the October edition of its regular Patch Tuesday update cycle. This is slightly less than recent months where the total has consistently more than over 100.
Eleven of the flaws are listed at critical. The batch includes two critical updates for Microsoft SharePoint (CVE-2020-16951 and CVE-2020-16952) and a separate critical flaw affecting Microsoft’s Outlook email client.
The CVE-2020-16947 vulnerability allows code execution on affected versions of Outlook just by viewing a specially crafted email.
“The Preview Pane is an attack vector here, so you don’t even need to open the mail to be impacted,” ZDI’s Childs explained. “The specific flaw exists within the parsing of HTML content in an email.
“The issue results from the lack of proper validation of the length of user-supplied data before copying it to a fixed-length heap-based buffer,” he added.
A patching matrix put together by the SANS Institute’s Internet Storm Centre offers a handy visual guide to help make sense of the relative importance of Microsoft's latest round of software updates.