Microsoft has released its December 2020 security updates, which is fixes for 58 vulnerabilities in Microsoft products. Every month we will post our vulnerability score and tips around each patch released, to provide advice for IT professionals and businesses.
Out of the 58 patches, 9 are classed as critical, 48 are classed as important and 2 are classed as moderate. There were no Zero-Days discovered this month.
Other Products:
Other companies who have released security updates this week:
- Andriod: December security updates
- Apple: Security updates for iCloud
- Cisco: Security updates for Security Manager vulnerabilities
- D-Link: VPN routers got patched for remote command injection bugs
- QNAP: Patched QTS vulnerabilities
- SAP: December 2020 security updates
- VMWare: Security updates that resolve a zero-day reported by the NSA and used by Russian state-sponsored hackers
All the patches can be found in the table below or alternatively downloaded here.
We have also curated a downloadable Patching Best Practice Guide.
Category |
CVE IDs |
CVE Title |
Severity |
FIT Score & Tip |
Azure DevOps |
CVE-2020-17145 |
Azure DevOps Server and Team Foundation Services Spoofing Vulnerability |
Important |
3/5 - Microsoft released multiple updates for the Azure stack this month, showing that Azure also suffers with vulnerabilities much like an on premise environment. These need to be applied based on what is used by your business. |
Azure SDK |
CVE-2020-17002 |
Azure SDK for C Security Feature Bypass Vulnerability |
Important |
3/5 - Microsoft released multiple updates for the Azure stack this month, showing that Azure also suffers with vulnerabilities much like an on premise environment. These need to be applied based on what is used by your business. |
Azure Sphere |
CVE-2020-17160 |
Azure Sphere Security Feature Bypass Vulnerability |
Important |
3/5 - This particular vulnerability is complex and time consuming to setup, that is to say that this cannot be exploited at will and requires planning or substantial preparation to accomplish. |
Microsoft Dynamics |
CVE-2020-17158 |
Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability |
Critical |
4/5 - High chance of exploitation and an attacker would expect reliable, repeatable successful execution. This attack would not require much preparation and would only need the vulnerability to exist for an attempted attack. These kind of attacks should be patched as soon as possible. |
Microsoft Dynamics |
CVE-2020-17147 |
Dynamics CRM Webclient Cross-site Scripting Vulnerability |
Important |
3/5 - This type of attack would require some type of user interaction but with phishing and credential stuffing becoming a very large practice these shouldn't go ignored. |
Microsoft Edge |
CVE-2020-17131 |
Chakra Scripting Engine Memory Corruption Vulnerability |
Critical |
3/5 - This particular vulnerability is complex and time consuming to setup, that is to say that this cannot be exploited at will and requires planning or sustantial preparation to accomplish. This exploit takes advantage of Chakra which is a forked version of the JavaScript engine and is used in IE. |
Microsoft Edge |
CVE-2020-17153 |
Microsoft Edge for Android Spoofing Vulnerability |
Moderate |
3/5 - This is a spoofing attack which would require a user to be convinced of authenticity, but with phishing and credential stuffing becoming a very large practice these shouldn't go ignored. |
Microsoft Exchange Server |
CVE-2020-17117 |
Microsoft Exchange Remote Code Execution Vulnerability |
Critical |
3/5 - These vulnerabilities exist in Microsoft Exchange due to the improper validation of cmdlet arguments. To exploit these vulnerabilities, an attacker would need to be authenticated to the vulnerable Exchange server in order to exploit the flaw. |
Microsoft Exchange Server |
CVE-2020-17143 |
Microsoft Exchange Information Disclosure Vulnerability |
Important |
3/5 - These vulnerabilities exist in Microsoft Exchange due to the improper validation of cmdlet arguments. To exploit these vulnerabilities, an attacker would need to be authenticated to the vulnerable Exchange server in order to exploit the flaw. |
Microsoft Graphics Component |
CVE-2020-17137 |
DirectX Graphics Kernel Elevation of Privilege Vulnerability |
Important |
2/5 - This requires local/SSH/User interaction which in a best practice configured environment shouldn't be a risk. This can be deployed at a lower priority. |
Microsoft Office |
CVE-2020-17130 |
Microsoft Excel Security Feature Bypass Vulnerability |
Important |
3/5 - This requires local/SSH/User interaction which in a best practice configured environment shouldn't be a risk however phishing and credential stuffing becoming a very large practice these shouldn't go ignored. |
Microsoft Office SharePoint |
CVE-2020-17121 |
Microsoft SharePoint Remote Code Execution Vulnerability |
Critical |
4/5 - High chance of exploitation and an attacker would expect reliable, repeatable successful execution. This attack would not require much preparation and would only need the vulnerability to exist for an attempted attack. These kind of attacks should be patched as soon as possible. |
Microsoft Office SharePoint |
CVE-2020-17120 |
Microsoft SharePoint Information Disclosure Vulnerability |
Important |
3/5 - This type of attack would require some type of user interaction but with phishing and credential stuffing becoming a very large practice these shouldn't go ignored. |
Microsoft Office Sharepoint |
CVE-2020-17122 |
Microsoft SharePoint Spoofing Vulnerability |
Moderate |
3/5 - This is a spoofing attack which would require a user to be convinced of authenticity, but with phishing and credential stuffing becoming a very large practice these shouldn't go ignored. |
Microsoft Windows |
CVE-2020-17136 |
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
Important |
3/5 - This requires local/SSH/User interaction which in a best practice configured environment shouldn't be a risk however phishing and credential stuffing becoming a very large practice these shouldn't go ignored. |
Microsoft Windows DNS |
ADV200013 |
Microsoft Guidance for Addressing Spoofing Vulnerability in DNS Resolver |
Important |
3/5 - A type of DNS poisoning attack. This is resolved by modifying DNS registry config. |
Visual Studio |
CVE-2020-17148 |
Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability |
Important |
3/5 - Classified as important by Microsoft, so worth getting on your machines if applicable, and once tested fully. |
Windows Backup Engine |
CVE-2020-16960 |
Windows Backup Engine Elevation of Privilege Vulnerability |
Important |
3/5 - Classified as important by Microsoft, so worth getting on your machines if applicable, and once tested fully. |
Windows Error Reporting |
CVE-2020-17094 |
Windows Error Reporting Information Disclosure Vulnerability |
Important |
3/5 - Classified as important by Microsoft, so worth getting on your machines if applicable, and once tested fully. |
Windows Hyper-V |
CVE-2020-17095 |
Hyper-V Remote Code Execution Vulnerability |
Critical |
4/5 - Classified as Critical so should be deployed when possible. |
Windows Lock Screen |
CVE-2020-17099 |
Windows Lock Screen Security Feature Bypass Vulnerability |
Important |
3/5 - This requires local/User interaction which in a best practice configured environment shouldn't be a risk however phishing and credential stuffing becoming a very large practice these shouldn't go ignored. |
Windows Media |
CVE-2020-17097 |
Windows Digital Media Receiver Elevation of Privilege Vulnerability |
Important |
3/5 - Classified as important by Microsoft, so worth getting on your machines if applicable, and once tested fully. |
Windows SMB |
CVE-2020-17096 |
Windows NTFS Remote Code Execution Vulnerability |
Important |
3/5 - This particular vulnerability is complex and time consuming to setup, that is to say that this cannot be exploited at will and requires planning or sustantial preparation to accomplish. |
About the Author: Lizzie Arcari
Lizzie joined Foundation IT in 2019 after graduating from University. She is excited to develop her career in the IT industry, learning from the best.