November, 2020: Patch Monday: Chrome 0-Days Exploited

Welcome to this November Patch Monday Bulletin. This month there are updates for Adobe, Apple, Google, and Mozilla. The biggest issue this month is Chrome with 3 vulnerabilities that were actively attacked in the wild. CVE-2020-16009 is an “Inappropriate Implementation” vulnerability that allows an attacker to exploit the browser when a user visits a malicious web page. CVE-2020-16013 and CVE-2020-16017 were both attacked in the wild exploiting another “Inappropriate Implementation” as well as a “use after free in site isolation” vulnerability. Both vulnerabilities require a user to navigate to a malicious web page to execute code. Updates were available on November 11th for these vulnerabilities. Chrome should autoupdate but users will often leave browser sessions open for extended lengths of time if they do not reboot their machines frequently. Follow up Chrome with Firefox updates. CVE-2020-1599 was exploited in the wild against Chrome and may affect Firefox as well but it can only be exploited if an obscure preference is toggled on Firefox for Linux or Android OS. Adobe had relatively few updates this month and there were no Priority 1 patches, but you should review updates for Acrobat and Reader. Finally, review the environment for installations of iTunes for Windows and update if necessary.

Over the years we've had millions of visitors to UltimateWindowsSecurity.com. Every month we have thousands and thousands of visitors to our Security Log Encyclopedia which documents all of the Security Log event ID’s for Windows Server OS’s. Back in 2007 when SharePoint added auditing capability, I realized that my audience not only needed the event information from SharePoint but I also found a similar need in SQL Server and Exchange. So not only did I document the data but I also started to develop the means to extract that event data from these applications so that it’s accessible and useable to the end user. Some 8 years later and LOGbinder is continuing to grow as companies realize LOGbinder bridges the gap between these applications and their infosec team. Visit LOGbinder.com to download a free 30-day fully functional trial and see the security event data that you have literally been missing.

So, without further ado, here’s the chart of non MS patches this month.

Patch data provided by:

Identifier

Vendor/Product

Product Version Affected

Date Released by Vendor

Vulnerability Info

Vendor
Severity / Our Recommendation

Multiple CVE’s

Adobe Connect

11.0 and earlier

11/10/2020

Cross Site Scripting

Important Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe Acrobat and Reader

Continuous 2020.012.20048?and?earlier

Classic 2020 2020.001.30005 and earlier

Classic 2017 2017.011.30175?and?earlier

11/3/2020

Arbitrary Code Execution, Privilege Escalation, Information Disclosure, Security Bypass

Critical Priority 2: Update within 30 days

Multiple CVE’s

iTunes for Windows

Before 12.11

11/17/2020

Information Disclosure, Arbitrary Code Execution, Denial of Service

Update after testing

Multiple CVE’s

Google Chrome

Win/Linux before 87.0.4280.66

Mac Before 87.0.4280.67

11/17/2020

Use After Free, Security Bypass,

Update as soon as possible

Multiple CVE’s

Mozilla Firefox

Before 83/ESR 78.5

11/17/2020

Security Bypass, Information Disclosure, Cross Site Scripting, Denial of Service

Update after testing

Multiple CVE’s

Mozilla Thunderbird

Before 78.5

11/17/2020

Security Bypass, Information Disclosure, Cross Site Scripting, Denial of Service

Update after testing