Patch Analysis for October 2020

Welcome to this October Patch Monday Bulletin. This month there are patches from Adobe, Google, Mozilla, and Oracle. The big news this month is an actively exploited zero day in Google Chrome. The flaw was disclosed on Monday and patched Tuesday so there was a very short Windows of technical details being released. Adobe had a huge month patching 11 products addressing numerous vulnerabilities. The most notable were Magento and Adobe Flash Player which were both Critical Priority 2 updates. Take some time reviewing and updating these applications after you review google chrome. Adobe Flash issues could be mitigated by disabling it through group policy. October is another Critical Patch Update for Oracle that updates 8 CVE’s in Java. Mozilla released updates for Firefox and Thunderbird but none of the vulnerabilities were known to be attacked in the wild. Finally, Microsoft released out of band updates to address 2 important vulnerabilities (CVE-2020-17022, CVE-2020-17023) that could result in remote code execution.

Over the years we've had millions of visitors to UltimateWindowsSecurity.com. Every month we have thousands and thousands of visitors to our Security Log Encyclopedia which documents all of the Security Log event ID’s for Windows Server OS’s. Back in 2007 when SharePoint added auditing capability, I realized that my audience not only needed the event information from SharePoint but I also found a similar need in SQL Server and Exchange. So not only did I document the data but I also started to develop the means to extract that event data from these applications so that it’s accessible and useable to the end user. Some 8 years later and LOGbinder is continuing to grow as companies realize LOGbinder bridges the gap between these applications and their infosec team. Visit LOGbinder.com to download a free 30-day fully functional trial and see the security event data that you have literally been missing.

So, without further ado, here’s the chart of non MS patches this month.

Patch data provided by:

Identifier

Vendor/Product

Product Version Affected

Date Released by Vendor

Vulnerability Info

Vendor
Severity / Our Recommendation

CVE-2020-24422

Adobe Creative Cloud Desktop Application

5.2 and earlier

2.1 and earlier

10/20/2020

Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

CVE-2020-24421

Adobe InDesign

15.1.2 and earlier

10/20/2020

Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

CVE-2020-24424

Adobe Premiere Pro

14.4 and earlier

10/20/2020

Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

CVE-2020-24420

Adobe Photoshop

CC 2019 20.0.10 and earlier

2020 21.2.2 and earlier

10/20/2020

Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe After Effects

17.1.1 and earlier

10/20/2020

Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe Animate

20.5 and earlier

10/20/2020

Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

CVE-2020-24416

Marketo

1.4355 and earlier

10/20/2020

Cross-Site Scripting

Important Priority 2: Update within 30 days

CVE-2020-24425

Adobe Dreamweaver

20.2 and earlier

10/20/2020

Privilege Escalation

Important Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe Illustrator

24.2 and earlier

10/20/2020

Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

Multiple CVE’s

Magento

Commerce 2.3.5-p1, 2.3.5-p2, 2.4.0 and earlier

Open Source 2.3.5-p1, 2.3.5-p2, 2.4.0 and earlier

10/15/2020

SQL Injection, Arbitrary Code Execution, Security Bypass, Information Disclosure, Cross Site Scripting

 

Critical Priority 2: Update within 30 days

CVE-2020-9746

Adobe Flash Player

32.0.0.433 and earlier

Edge/IE 32.0.0.387

10/13/2020

Arbitrary Code Execution

Critical Priority 2: Update within 30 days

Multiple CVE’s

Google Chrome

Before 86.0.4240.111

10/20/2020

Use after Free, Security Bypass, Information Disclosure

Update as soon as possible

Multiple CVE’s

Mozilla Firefox

Before 82/ESR 78.4

10/20/2020

Denial of Service, Information Disclosure, Spoofing

Update after testing

Multiple CVE’s

Mozilla Thunderbird

Before 78.4

10/21/2020

Denial of Service

Update after testing

Multiple CVE’s

Oracle Java

7u271, 8u261, 11.0.8, 15

10/20/2020

Denial of Service, Information Disclosure

Update after testing

Receive Randy's same-day, independent analysis each Patch Tuesday

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The "Randy’s Recommendation" comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.

 

Additional Resources