November Patch Tuesday brought 112 vulnerabilities fixed by Microsoft, including fixes for one vulnerability (CVE-2020-17087) that is already being actively exploited in the wild. In the days leading up to Patch Tuesday, both Apple and Google joined the party with each one releasing fixes for three of their own zero day vulnerabilities. Here’s our callout of security updates and issues we think you’ll want to be aware of.

Newsworthy Events

• A recently-released NSA Cybersecurity Advisory outlines 25 CVEs commonly exploited by Chinesed State-Sponsored Actors. A DARKReading.com article states that “Most of the vulnerabilities…can be exploited to gain initial access into victim networks using products that are directly accessible from the Internet and act as gateways into internal networks.” You should review the NSA advisory to ensure that these vulnerabilities have been addressed or are appropriately prioritized for immediate patching. As a reminder, ZENworks 2020 lets you easily identify these 25 CVEs, which devices are vulnerable to them, and then apply the patches immediately (or scheduled) required to remediate the devices.
• Microsoft changed its vulnerability descriptions in the new version of the security update guide. You now have to do a little more piecing together of information so you might want to take a look at this helpful article.
• Microsoft released Windows 10 20H2 on October 20. Here are some things to be aware of starting with this release:
  • Microsoft is changing its naming scheme from the year and month pattern (YYMM like 1903, 1909, 2004) to a year and half-year pattern (YYH1\YYH2 like 20H2).
  • Windows 10, versions 2004 and 20H2 share a common core operating system with an identical set of system files. Therefore, the new features in Windows 10, version 20H2 are included in the latest monthly quality update for Windows 10, version 2004 (released October 13, 2020), but are in an inactive and dormant state. These new features will remain dormant until they are turned on through the “enablement package,” a small, quick-to-install “master switch” that activates the Windows 10, version 20H2 features. Read how to do this here.
  • Adobe Flash Player general end-of-life is December 31^st.  Microsoft has released an update that removes Adobe Flash Player. The ZENworks patch feed includes this update titled “Update for Removal of Adobe Flash Player for Windows <version>”.

Quick Take

• Microsoft released fixes for 112 vulnerabilities.
• Microsoft released fixes for CVE-2020-17087, which is already being actively exploited in the wild.
• Between October 20 and November 10, Google patched three zero-day Chrome vulnerabilities (CVE-2020-15999, CVE-2020-16009, and CVE-2020-16010).
• In last several weeks, Apple has patched three zero-day vulnerabilities.
• Servicing Stack Updates this month: Window Server versions 1903 – 20H2, Windows 10 1809/Server 2019, and Windows 10 1903 – 20H2.

Windows Server 2019 Updates

• There is a new Servicing Stack Update (KB4587735). It is not a prerequisite for November updates.
• The cumulative update (KB4577668) resolves 46 new CVEs including 2 critical CVEs. One vulnerability (CVE-2020-17087) is publicly disclosed and known exploited.

Windows Server 2016 Updates

• The cumulative update (KB4586830) resolves 40 new CVEs, including 2 critical CVE. One vulnerability (CVE-2020-17087) is publicly disclosed and known exploited.

Windows 10 Updates

• There is a new Servicing Stack Update (KB number varies by version) for versions 1903 through 20H2. It is not a prerequisite for October updates.
• The cumulative update (KB number varies by version) resolves up to 59 CVEs depending on the version including 2 critical CVEs. One vulnerability (CVE-2020-17087) is publicly disclosed and known exploited.

Windows 8.1 / Windows Server 2012 R2 Updates

• The Security Monthly Quality Rollup (KB4586845) resolves 34 new CVEs including 3 critical CVEs. Also resolves another 3 Internet Explorer critical vulnerabilities. One vulnerability (CVE-2020-17087) is publicly disclosed and known exploited.
• The Security Only Quality Update (KB4586823) resolves 34 new CVEs including 3 critical CVEs. None have public disclosures or known exploits.
• The Cumulative Security Update for Internet Explorer 11 (KB4586768) resolves 3 new critical CVEs. Apply it with the Security Only Quality Update (KB4586823). It is not needed with the Security Monthly Quality Rollup (KB4586845).

Windows Server 2012 Updates

• The Security Monthly Quality Rollup (KB4586834) resolves 24 new CVEs, including 3 critical CVEs. Also resolves another 3 Internet Explorer critical vulnerabilities. One vulnerability (CVE-2020-17087) is publicly disclosed and known exploited.
• The Security Only Quality Update (KB4586808) resolves 24 new CVEs, including 3 critical CVEs. One vulnerability (CVE-2020-17087) is publicly disclosed and known exploited.
• The Cumulative Security Update for Internet Explorer 11 (KB4586768) resolves 3 new critical CVEs. Apply it with the Security Only Quality Update (KB4586808). It is not needed with the Security Monthly Quality Rollup (KB4586834).

Windows 7 / Windows Server 2008 R2 Extended Security Updates

• These updates can only be installed on devices that have an active ESU MAK license.
• In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.
• The Security Monthly Quality Rollup (KB4586827) resolves 20 new CVEs including 2 critical CVEs. Also resolves another 3 Internet Explorer critical vulnerabilities. One vulnerability (CVE-2020-17087) is publicly disclosed and known exploited.
• The Security Only Quality Update (KB4586805) resolves 20 new CVEs including 2 critical CVEs. One vulnerability (CVE-2020-17087) is publicly disclosed and known exploited.
• The Cumulative Security Update for Internet Explorer 11 (KB4586768) resolves 3 new critical CVEs. Apply it with the Security Only Quality Update (KB4586805). It is not needed with the Security Monthly Quality Rollup (KB4586827).

Windows Server 2008 Extended Security Updates

• These updates can only be installed on devices that have an active ESU MAK license.
• In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.
• The Security Monthly Quality Rollup (KB4586807) resolves 14 new CVEs including 2 critical CVEs. One vulnerability (CVE-2020-17087) is publicly disclosed and known exploited.
• The Security Only Quality Update (KB4586817) resolves 14 new CVEs including 2 critical CVEs. One vulnerability (CVE-2020-17087) is publicly disclosed and known exploited.

Microsoft Exchange Server

• The monthly Security Updates resolve 3 CVEs (maximum severity is Important) for Exchange Server 2013 - 2019. None have public disclosures or known exploits.

Microsoft SharePoint Server

• The monthly Security Updates resolve 6 CVEs (maximum severity is Important) across Enterprise Server 2013 & 2016, Foundation Server 2013, and SharePoint Server 2010. None have public disclosures or known exploits.

Microsoft Office 2010–2016 (Windows) and 2016-2019 (Mac)

• The Security Update resolves up to 8 new CVEs (maximum severity is Important) depending on the version. None have public disclosures or known exploits.

Microsoft 365 Apps (formerly Office 365 ProPlus) and Office 2019

• Each channel update resolves up to 6 new CVEs (maximum severity is Important) depending on the version. None have public disclosures or known exploits.

Google Chrome

• Chrome 86.0.4340.198 resolves 2 new CVEs as well as the two publicly disclosed and known exploited CVEs (CVE-2020-15999, CVE-2020-16009) fixed in recent Chrome updates.

Mozilla Firefox

• Firefox 82.0.3 resolves 2 critical vulnerabilities.
• Firefox ESR 78.4.1 resolves 2 critical vulnerabilities.

Mozilla Thunderbird

• Thunderbird 78.4.2 resolves 2 critical vulnerabilities.