Windows “Ping of Death” bug revealed – Apply this month’s Microsoft patch now!
On Tuesday 13th October 2020 Microsoft released its usual round of monthly security updates. While it is always advisable to apply these updates in a timely fashion, there are two vulnerabilities disclosed this month that mean you need to patch without delay.
CVE-2020-16898 dubbed “Bad neighbour” and CVE-2020-16899 named “Ping of death” are both rated as critical and affect Windows 10 and Windows Server 2019. Both relate to vulnerabilities in the IPV6 TCP/IP stack, CVE-2020-16899 allows an attacker to crash Windows simply by sending a specially crafted network packet to the server, and proof of concept exploits are already circulating in the wild.
CVE-2020-16898 is potentially more serious as it could allow remote code execution which may allow an attacker to take complete control of the targeted machine. The vulnerability is also considered wormable, which means a self-replicating piece of malware could easily spread through entire Windows networks. While external facing IPV6 networks are still not that common, the service is deployed by default on the affected versions of Windows and therefore likely available on most internal networks making them vulnerable to phishing or download attacks.
The security updates should be deployed without delay. If the updates cannot be deployed quickly Microsoft has published workarounds which involves disabling the ICMPv6 RDNSS service to prevent exploitation.
If you are concerned that your organization may be at risk or you would like to discuss any support against cyber security threats please get in touch.