Experts Reacted Microsoft’s New Patch Tuesday Format: “A Bad Move” And “Disappointing”

This month’s Patch Tuesday includes fixes for 112 CVEs, 17 of which are rated critical. This is a return to form for Microsoft, as the company ended a streak of patching over 100 CVEs last month when they patched 87 CVEs. One of the most notable fixes in this month’s release is for CVE-2020-17087, an elevation of privilege vulnerability in the Windows Kernel that was exploited in the wild as part of a vulnerability chain with CVE-2020-15999, a buffer overflow vulnerability in the FreeType 2 library used by Google Chrome. The elevation of privilege vulnerability was used to escape Google Chrome’s sandbox in order to elevate privileges on the exploited system. This is the second vulnerability chain involving a Google Chrome vulnerability and a Windows vulnerability that was exploited in the last year. Chaining vulnerabilities is an important tactic for threat actors. While both CVE-2020-15999 and CVE-2020-17087 were exploited in the wild as zero-days, the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory with the FBI last month that highlighted threat actors chaining unpatched vulnerabilities to gain initial access into a target environment and elevate privileges. Even though Google and Microsoft have now patched these flaws, it is imperative for organisations to ensure they’ve applied these patches before threat actors begin to leverage them more broadly.  Read Less