Microsoft has published today 58 security fixes across 10+ products and services, as part of the company’s monthly batch of security updates, known as Patch Tuesday.
There’s a smaller number of fixes this December compared with the regular 100+ fixes that Microsoft ships each month, but this doesn’t mean the bugs are less severe.
More than a third of this month’s patches (22) are classified as remote code execution (RCE) vulnerabilities. These are security bugs that need to be addressed right away as they are more easily exploitable, with no user interaction, either via the internet or from across a local network.
This month, we have RCEs in Microsoft products like Windows NTFS, Exchange Server, Microsoft Dynamics, Excel, PowerPoint, SharePoint, Visual Studio, and Hyper-V.
The highest-rated of these bugs, and the ones most likely to come under exploitation, are the RCE bugs impacting Exchange Server (CVE-2020-17143, CVE-2020-17144, CVE-2020-17141, CVE-2020-17117, CVE-2020-17132, and CVE-2020-17142) and SharePoint (CVE-2020-17118 and CVE-2020-17121).
Patching these first is advised, as, through their nature, Exchange and SharePoint systems are regularly connected to the internet and, as a result, are more easily attacked.
Another major bug fixed this month is also a bug in Hyper-V, Microsoft’s virtualization technology, used to host virtual machines. Exploitable via a malicious SMB packet, this bug could allow remote attackers to compromise virtualized sandboxed environments, something that Hyper-V was designed to protect.
Below are additional details about today’s Microsoft Patch Tuesday and security updates released by other tech companies:
- Microsoft’s official Security Update Guide portal lists all security updates in a filterable table.
- ZDNet has published this file listing all this month’s security advisories on one single page.
- Adobe’s security updates are detailed here.
- SAP security updates are available here.
- Intel security updates are available here.
- VMWare security updates are available here.
- Chrome 87 security updates are detailed here.
- Android security updates are available here.
| Tag | CVE ID | CVE Title |
|---|---|---|
| Microsoft Windows DNS | ADV200013 | Microsoft Guidance for Addressing Spoofing Vulnerability in DNS Resolver |
| Azure DevOps | CVE-2020-17145 | Azure DevOps Server and Team Foundation Services Spoofing Vulnerability |
| Azure DevOps | CVE-2020-17135 | Azure DevOps Server Spoofing Vulnerability |
| Azure SDK | CVE-2020-17002 | Azure SDK for C Security Feature Bypass Vulnerability |
| Azure SDK | CVE-2020-16971 | Azure SDK for Java Security Feature Bypass Vulnerability |
| Azure Sphere | CVE-2020-17160 | Azure Sphere Security Feature Bypass Vulnerability |
| Microsoft Dynamics | CVE-2020-17147 | Dynamics CRM Webclient Cross-site Scripting Vulnerability |
| Microsoft Dynamics | CVE-2020-17133 | Microsoft Dynamics Business Central/NAV Information Disclosure |
| Microsoft Dynamics | CVE-2020-17158 | Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability |
| Microsoft Dynamics | CVE-2020-17152 | Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability |
| Microsoft Edge | CVE-2020-17153 | Microsoft Edge for Android Spoofing Vulnerability |
| Microsoft Edge | CVE-2020-17131 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Exchange Server | CVE-2020-17143 | Microsoft Exchange Information Disclosure Vulnerability |
| Microsoft Exchange Server | CVE-2020-17144 | Microsoft Exchange Remote Code Execution Vulnerability |
| Microsoft Exchange Server | CVE-2020-17141 | Microsoft Exchange Remote Code Execution Vulnerability |
| Microsoft Exchange Server | CVE-2020-17117 | Microsoft Exchange Remote Code Execution Vulnerability |
| Microsoft Exchange Server | CVE-2020-17132 | Microsoft Exchange Remote Code Execution Vulnerability |
| Microsoft Exchange Server | CVE-2020-17142 | Microsoft Exchange Remote Code Execution Vulnerability |
| Microsoft Graphics Component | CVE-2020-17137 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2020-17098 | Windows GDI+ Information Disclosure Vulnerability |
| Microsoft Office | CVE-2020-17130 | Microsoft Excel Security Feature Bypass Vulnerability |
| Microsoft Office | CVE-2020-17128 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-17129 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-17124 | Microsoft PowerPoint Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-17123 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-17119 | Microsoft Outlook Information Disclosure Vulnerability |
| Microsoft Office | CVE-2020-17125 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-17127 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-17126 | Microsoft Excel Information Disclosure Vulnerability |
| Microsoft Office | CVE-2020-17122 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office SharePoint | CVE-2020-17115 | Microsoft SharePoint Spoofing Vulnerability |
| Microsoft Office SharePoint | CVE-2020-17120 | Microsoft SharePoint Information Disclosure Vulnerability |
| Microsoft Office SharePoint | CVE-2020-17121 | Microsoft SharePoint Remote Code Execution Vulnerability |
| Microsoft Office SharePoint | CVE-2020-17118 | Microsoft SharePoint Remote Code Execution Vulnerability |
| Microsoft Office SharePoint | CVE-2020-17089 | Microsoft SharePoint Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-17136 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-16996 | Kerberos Security Feature Bypass Vulnerability |
| Microsoft Windows | CVE-2020-17138 | Windows Error Reporting Information Disclosure Vulnerability |
| Microsoft Windows | CVE-2020-17092 | Windows Network Connections Service Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-17139 | Windows Overlay Filter Security Feature Bypass Vulnerability |
| Microsoft Windows | CVE-2020-17103 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-17134 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| Visual Studio | CVE-2020-17148 | Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability |
| Visual Studio | CVE-2020-17159 | Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability |
| Visual Studio | CVE-2020-17156 | Visual Studio Remote Code Execution Vulnerability |
| Visual Studio | CVE-2020-17150 | Visual Studio Code Remote Code Execution Vulnerability |
| Windows Backup Engine | CVE-2020-16960 | Windows Backup Engine Elevation of Privilege Vulnerability |
| Windows Backup Engine | CVE-2020-16958 | Windows Backup Engine Elevation of Privilege Vulnerability |
| Windows Backup Engine | CVE-2020-16959 | Windows Backup Engine Elevation of Privilege Vulnerability |
| Windows Backup Engine | CVE-2020-16961 | Windows Backup Engine Elevation of Privilege Vulnerability |
| Windows Backup Engine | CVE-2020-16964 | Windows Backup Engine Elevation of Privilege Vulnerability |
| Windows Backup Engine | CVE-2020-16963 | Windows Backup Engine Elevation of Privilege Vulnerability |
| Windows Backup Engine | CVE-2020-16962 | Windows Backup Engine Elevation of Privilege Vulnerability |
| Windows Error Reporting | CVE-2020-17094 | Windows Error Reporting Information Disclosure Vulnerability |
| Windows Hyper-V | CVE-2020-17095 | Hyper-V Remote Code Execution Vulnerability |
| Windows Lock Screen | CVE-2020-17099 | Windows Lock Screen Security Feature Bypass Vulnerability |
| Windows Media | CVE-2020-17097 | Windows Digital Media Receiver Elevation of Privilege Vulnerability |
| Windows SMB | CVE-2020-17096 | Windows NTFS Remote Code Execution Vulnerability |
| Windows SMB | CVE-2020-17140 | Windows SMB Information Disclosure Vulnerability |
Credit: Zdnet
