For November Patch Tuesday, Microsoft released 112 CVEs. After a small dip in October, Microsoft is back in the game releasing over 100 CVEs per month, so I guess this is the new normal ????. Of these 112, 17 are critical, for which you need to activate the monthly patching cycle prioritizing critical ones or any other criteria that you may have.
But only a few really need serious attention, listed below.
CVE-2020-17087, is EoP vulnerability, attack vector is local and not public facing. But it has been exploited and considered zero-day.
CVE-2020-17061, is RCE, attack vector is network and yes, it is public facing. Chances are for PoC to release is high, based on its exposure and the value of information it holds.
CVE-2020-17051, is RCE, attack vector is network but not necessarily public facing – unless you have some weird network design. Good vulnerability for Ransomware to use so patch this immediately.
CVE-2020-17084, is RCE, attack vector is network and exchange is public facing. Reported by Source Incite and they have a track record of releasing detailed write-ups and PoC's released.
Microsoft has done something really strange by removing vulnerability details from Patch Tuesday bulletin. Hope this will be fixed. Happy Patching!