CSIRT Panamá Aviso 2020-11-11 Actualizaciones de Microsoft corriguen 17 fallas criticas.
Gravedad: Alta
Fecha de publicación: noviembre 11, 2020
Última revisión: noviembre 10, 2020
https://msrc.microsoft.com/update-guide/en-us/releaseNote/2020-Nov
Sistemas Afectados:
Microsoft Windows
Microsoft Office and Microsoft Office Services and Web Apps
Internet Explorer
Microsoft Edge (EdgeHTML-based)
Microsoft Edge (Chromium-based)
ChakraCore
Microsoft Exchange Server
Microsoft Dynamics
Microsoft Windows Codecs Library
Azure Sphere
Windows Defender
Microsoft Teams
Azure SDK
Azure DevOps
Visual Studio
I. Descripción
Con el lanzamiento de las actualizaciones de seguridad de noviembre de 2020, Microsoft lanzó correcciones para 112 vulnerabilidades en los productos de Microsoft.
De estas vulnerabilidades, 17 se clasifican como críticas, 93 como importantes, 1 como importan y 2 como moderadas.
II. Problemas Conocidos
| Tag | CVE ID | CVE Title | Severity |
|---|---|---|---|
| Azure DevOps | CVE-2020-1325 | Azure DevOps Server and Team Foundation Services Spoofing Vulnerability | Important |
| Azure Sphere | CVE-2020-16985 | Azure Sphere Information Disclosure Vulnerability | Important |
| Azure Sphere | CVE-2020-16986 | Azure Sphere Denial of Service Vulnerability | Important |
| Azure Sphere | CVE-2020-16987 | Azure Sphere Unsigned Code Execution Vulnerability | Important |
| Azure Sphere | CVE-2020-16984 | Azure Sphere Unsigned Code Execution Vulnerability | Important |
| Azure Sphere | CVE-2020-16981 | Azure Sphere Elevation of Privilege Vulnerability | Important |
| Azure Sphere | CVE-2020-16982 | Azure Sphere Unsigned Code Execution Vulnerability | Important |
| Azure Sphere | CVE-2020-16983 | Azure Sphere Tampering Vulnerability | Important |
| Azure Sphere | CVE-2020-16988 | Azure Sphere Elevation of Privilege Vulnerability | Critical |
| Azure Sphere | CVE-2020-16993 | Azure Sphere Elevation of Privilege Vulnerability | Important |
| Azure Sphere | CVE-2020-16994 | Azure Sphere Unsigned Code Execution Vulnerability | Important |
| Azure Sphere | CVE-2020-16970 | Azure Sphere Unsigned Code Execution Vulnerability | Important |
| Azure Sphere | CVE-2020-16992 | Azure Sphere Elevation of Privilege Vulnerability | Important |
| Azure Sphere | CVE-2020-16989 | Azure Sphere Elevation of Privilege Vulnerability | Important |
| Azure Sphere | CVE-2020-16990 | Azure Sphere Information Disclosure Vulnerability | Important |
| Azure Sphere | CVE-2020-16991 | Azure Sphere Unsigned Code Execution Vulnerability | Important |
| Common Log File System Driver | CVE-2020-17088 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important |
| Microsoft Browsers | CVE-2020-17058 | Microsoft Browser Memory Corruption Vulnerability | Critical |
| Microsoft Dynamics | CVE-2020-17005 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important |
| Microsoft Dynamics | CVE-2020-17018 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important |
| Microsoft Dynamics | CVE-2020-17021 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important |
| Microsoft Dynamics | CVE-2020-17006 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important |
| Microsoft Exchange Server | CVE-2020-17083 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important |
| Microsoft Exchange Server | CVE-2020-17085 | Microsoft Exchange Server Denial of Service Vulnerability | Important |
| Microsoft Exchange Server | CVE-2020-17084 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-16998 | DirectX Elevation of Privilege Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-17029 | Windows Canonical Display Driver Information Disclosure Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-17004 | Windows Graphics Component Information Disclosure Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-17038 | Win32k Elevation of Privilege Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-17068 | Windows GDI+ Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-17065 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-17064 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-17066 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-17019 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-17067 | Microsoft Excel Security Feature Bypass Vulnerability | Important |
| Microsoft Office | CVE-2020-17062 | Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-17063 | Microsoft Office Online Spoofing Vulnerability | Important |
| Microsoft Office | CVE-2020-17020 | Microsoft Word Security Feature Bypass Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-17016 | Microsoft SharePoint Spoofing Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-16979 | Microsoft SharePoint Information Disclosure Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-17015 | Microsoft SharePoint Spoofing Vulnerability | Low |
| Microsoft Office SharePoint | CVE-2020-17017 | Microsoft SharePoint Information Disclosure Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-17061 | Microsoft SharePoint Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-17060 | Microsoft SharePoint Spoofing Vulnerability | Important |
| Microsoft Scripting Engine | CVE-2020-17048 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical |
| Microsoft Scripting Engine | CVE-2020-17053 | Internet Explorer Memory Corruption Vulnerability | Critical |
| Microsoft Scripting Engine | CVE-2020-17052 | Scripting Engine Memory Corruption Vulnerability | Critical |
| Microsoft Scripting Engine | CVE-2020-17054 | Chakra Scripting Engine Memory Corruption Vulnerability | Important |
| Microsoft Teams | CVE-2020-17091 | Microsoft Teams Remote Code Execution Vulnerability | Important |
| Microsoft Windows | CVE-2020-17032 | Windows Remote Access Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-17033 | Windows Remote Access Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-17026 | Windows Remote Access Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-17031 | Windows Remote Access Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-17027 | Windows Remote Access Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-17030 | Windows MSCTF Server Information Disclosure Vulnerability | Important |
| Microsoft Windows | CVE-2020-17028 | Windows Remote Access Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-17044 | Windows Remote Access Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-17045 | Windows KernelStream Information Disclosure Vulnerability | Important |
| Microsoft Windows | CVE-2020-17046 | Windows Error Reporting Denial of Service Vulnerability | Low |
| Microsoft Windows | CVE-2020-17043 | Windows Remote Access Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-17042 | Windows Print Spooler Remote Code Execution Vulnerability | Critical |
| Microsoft Windows | CVE-2020-17041 | Windows Print Configuration Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-17034 | Windows Remote Access Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-17049 | Kerberos Security Feature Bypass Vulnerability | Important |
| Microsoft Windows | CVE-2020-17051 | Windows Network File System Remote Code Execution Vulnerability | Critical |
| Microsoft Windows | CVE-2020-17040 | Windows Hyper-V Security Feature Bypass Vulnerability | Important |
| Microsoft Windows | CVE-2020-17047 | Windows Network File System Denial of Service Vulnerability | Important |
| Microsoft Windows | CVE-2020-17036 | Windows Function Discovery SSDP Provider Information Disclosure Vulnerability | Important |
| Microsoft Windows | CVE-2020-17000 | Remote Desktop Protocol Client Information Disclosure Vulnerability | Important |
| Microsoft Windows | CVE-2020-1599 | Windows Spoofing Vulnerability | Important |
| Microsoft Windows | CVE-2020-16997 | Remote Desktop Protocol Server Information Disclosure Vulnerability | Important |
| Microsoft Windows | CVE-2020-17001 | Windows Print Spooler Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-17057 | Windows Win32k Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-17056 | Windows Network File System Information Disclosure Vulnerability | Important |
| Microsoft Windows | CVE-2020-17055 | Windows Remote Access Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-17010 | Win32k Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-17007 | Windows Error Reporting Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-17014 | Windows Print Spooler Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-17025 | Windows Remote Access Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-17024 | Windows Client Side Rendering Print Provider Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-17013 | Win32k Information Disclosure Vulnerability | Important |
| Microsoft Windows | CVE-2020-17011 | Windows Port Class Library Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-17012 | Windows Bind Filter Driver Elevation of Privilege Vulnerability | Important |
| Microsoft Windows Codecs Library | CVE-2020-17106 | HEVC Video Extensions Remote Code Execution Vulnerability | Critical |
| Microsoft Windows Codecs Library | CVE-2020-17101 | HEIF Image Extensions Remote Code Execution Vulnerability | Critical |
| Microsoft Windows Codecs Library | CVE-2020-17105 | AV1 Video Extension Remote Code Execution Vulnerability | Critical |
| Microsoft Windows Codecs Library | CVE-2020-17102 | WebP Image Extensions Information Disclosure Vulnerability | Important |
| Microsoft Windows Codecs Library | CVE-2020-17082 | Raw Image Extension Remote Code Execution Vulnerability | Critical |
| Microsoft Windows Codecs Library | CVE-2020-17086 | Raw Image Extension Remote Code Execution Vulnerability | Important |
| Microsoft Windows Codecs Library | CVE-2020-17081 | Microsoft Raw Image Extension Information Disclosure Vulnerability | Important |
| Microsoft Windows Codecs Library | CVE-2020-17079 | Raw Image Extension Remote Code Execution Vulnerability | Critical |
| Microsoft Windows Codecs Library | CVE-2020-17078 | Raw Image Extension Remote Code Execution Vulnerability | Critical |
| Microsoft Windows Codecs Library | CVE-2020-17107 | HEVC Video Extensions Remote Code Execution Vulnerability | Critical |
| Microsoft Windows Codecs Library | CVE-2020-17110 | HEVC Video Extensions Remote Code Execution Vulnerability | Critical |
| Microsoft Windows Codecs Library | CVE-2020-17113 | Windows Camera Codec Information Disclosure Vulnerability | Important |
| Microsoft Windows Codecs Library | CVE-2020-17108 | HEVC Video Extensions Remote Code Execution Vulnerability | Critical |
| Microsoft Windows Codecs Library | CVE-2020-17109 | HEVC Video Extensions Remote Code Execution Vulnerability | Critical |
| Visual Studio | CVE-2020-17104 | Visual Studio Code JSHint Extension Remote Code Execution Vulnerability | Important |
| Visual Studio | CVE-2020-17100 | Visual Studio Tampering Vulnerability | Important |
| Windows Defender | CVE-2020-17090 | Microsoft Defender for Endpoint Security Feature Bypass Vulnerability | Important |
| Windows Kernel | CVE-2020-17035 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2020-17087 | Windows Kernel Local Elevation of Privilege Vulnerability | Important |
| Windows NDIS | CVE-2020-17069 | Windows NDIS Information Disclosure Vulnerability | Important |
| Windows Update Stack | CVE-2020-17074 | Windows Update Orchestrator Service Elevation of Privilege Vulnerability | Important |
| Windows Update Stack | CVE-2020-17073 | Windows Update Orchestrator Service Elevation of Privilege Vulnerability | Important |
| Windows Update Stack | CVE-2020-17071 | Windows Delivery Optimization Information Disclosure Vulnerability | Important |
| Windows Update Stack | CVE-2020-17075 | Windows USO Core Worker Elevation of Privilege Vulnerability | Important |
| Windows Update Stack | CVE-2020-17070 | Windows Update Medic Service Elevation of Privilege Vulnerability | Important |
| Windows Update Stack | CVE-2020-17077 | Windows Update Stack Elevation of Privilege Vulnerability | Important |
| Windows Update Stack | CVE-2020-17076 | Windows Update Orchestrator Service Elevation of Privilege Vulnerability | Important |
| Windows WalletService | CVE-2020-16999 | Windows WalletService Information Disclosure Vulnerability | Important |
| Windows WalletService | CVE-2020-17037 | Windows WalletService Elevation of Privilege Vulnerability | Important |
III. Referencia a soluciones, herramientas e información
Actualizar utilizando Microsoft Windows Update o herramientas de administracion de actualizaciones centralizadas.
IV. Información de contacto
CSIRT PANAMA
Computer Security Incident Response Team Autoridad Nacional para la Innovacion Gubernamental
E-Mail: info@cert.pa
Phone: +507 520-CERT (2378)
Web: https://cert.pa
Twitter: @CSIRTPanama
Facebook: http://www.facebook.com/CSIRTPanama
Key ID: 16F2B124