IaaS, Azure & IT News | Foundation IT

Patch Tuesday Update - December 2020 - Foundation IT

Written by Lizzie Arcari | Dec 9, 2020 12:00:00 AM

Microsoft has released its December 2020 security updates, which is fixes for 58 vulnerabilities in Microsoft products. Every month we will post our vulnerability score and tips around each patch released, to provide advice for IT professionals and businesses.

Out of the 58 patches, 9 are classed as critical, 48 are classed as important and 2 are classed as moderate. There were no Zero-Days discovered this month.

Other Products:

Other companies who have released security updates this week:

  • Andriod: December security updates
  • Apple: Security updates for iCloud
  • Cisco: Security updates for Security Manager vulnerabilities
  • D-Link: VPN routers got patched for remote command injection bugs
  • QNAP: Patched QTS vulnerabilities
  • SAP: December 2020 security updates
  • VMWare: Security updates that resolve a zero-day reported by the NSA and used by Russian state-sponsored hackers

 

All the patches can be found in the table below or alternatively downloaded here.

We have also curated a downloadable Patching Best Practice Guide.

Category

CVE IDs

CVE Title

Severity

FIT Score & Tip

Azure DevOps
2

CVE-2020-17145
CVE-2020-17135

Azure DevOps Server and Team Foundation Services Spoofing Vulnerability
Azure DevOps Server Spoofing Vulnerability

Important

3/5 - Microsoft released multiple updates for the Azure stack this month, showing that Azure also suffers with vulnerabilities much like an on premise environment. These need to be applied based on what is used by your business.

Azure SDK
2

CVE-2020-17002
CVE-2020-16971

Azure SDK for C Security Feature Bypass Vulnerability

Azure SDK for Java Security Feature Bypass Vulnerability

Important

3/5 - Microsoft released multiple updates for the Azure stack this month, showing that Azure also suffers with vulnerabilities much like an on premise environment. These need to be applied based on what is used by your business.

Azure Sphere
1

CVE-2020-17160

Azure Sphere Security Feature Bypass Vulnerability

Important

3/5 - This particular vulnerability is complex and time consuming to setup, that is to say that this cannot be exploited at will and requires planning or substantial preparation to accomplish.

Microsoft Dynamics
2

CVE-2020-17158
CVE-2020-17152

Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability

Critical 

4/5 - High chance of exploitation and an attacker would expect reliable, repeatable successful execution. This attack would not require much preparation and would only need the vulnerability to exist for an attempted attack. These kind of attacks should be patched as soon as possible.

Microsoft Dynamics
2

CVE-2020-17147
CVE-2020-17133

Dynamics CRM Webclient Cross-site Scripting Vulnerability
Microsoft Dynamics Business Central/NAV Information Disclosure

Important

3/5 - This type of attack would require some type of user interaction but with phishing and credential stuffing becoming a very large practice these shouldn't go ignored. 

Microsoft Edge
1

CVE-2020-17131

Chakra Scripting Engine Memory Corruption Vulnerability

Critical 

3/5 - This particular vulnerability is complex and time consuming to setup, that is to say that this cannot be exploited at will and requires planning or sustantial preparation to accomplish. This exploit takes advantage of Chakra which is a forked version of the JavaScript engine and is used in IE.

Microsoft Edge
1

CVE-2020-17153

Microsoft Edge for Android Spoofing Vulnerability

Moderate

3/5 - This is a spoofing attack which would require a user to be convinced of authenticity, but with phishing and credential stuffing becoming a very large practice these shouldn't go ignored.

Microsoft Exchange Server
3

CVE-2020-17117
CVE-2020-17132
CVE-2020-17142

Microsoft Exchange Remote Code Execution Vulnerability

Critical 

3/5 - These vulnerabilities exist in Microsoft Exchange due to the improper validation of cmdlet arguments. To exploit these vulnerabilities, an attacker would need to be authenticated to the vulnerable Exchange server in order to exploit the flaw.

Microsoft Exchange Server
3

CVE-2020-17143
CVE-2020-17144
CVE-2020-17141

Microsoft Exchange Information Disclosure Vulnerability
Microsoft Exchange Remote Code Execution Vulnerability

Important 

3/5 - These vulnerabilities exist in Microsoft Exchange due to the improper validation of cmdlet arguments. To exploit these vulnerabilities, an attacker would need to be authenticated to the vulnerable Exchange server in order to exploit the flaw.

Microsoft Graphics Component
2

CVE-2020-17137
CVE-2020-17098

DirectX Graphics Kernel Elevation of Privilege Vulnerability
Windows GDI+ Information Disclosure Vulnerability

Important 

2/5 - This requires local/SSH/User interaction which in a best practice configured environment shouldn't be a risk. This can be deployed at a lower priority.

Microsoft Office
10

CVE-2020-17130
CVE-2020-17128
CVE-2020-17129
CVE-2020-17124
CVE-2020-17123
CVE-2020-17119
CVE-2020-17125
CVE-2020-17127
CVE-2020-17126
CVE-2020-17122

Microsoft Excel Security Feature Bypass Vulnerability
Microsoft Excel Remote Code Execution Vulnerability
Microsoft PowerPoint Remote Code Execution Vulnerability
Microsoft Outlook Information Disclosure Vulnerability
Microsoft Excel Information Disclosure Vulnerability

Important

3/5 - This requires local/SSH/User interaction which in a best practice configured environment shouldn't be a risk however phishing and credential stuffing becoming a very large practice these shouldn't go ignored. 

Microsoft Office SharePoint
2

CVE-2020-17121
CVE-2020-17118

Microsoft SharePoint Remote Code Execution Vulnerability

Critical 

4/5 - High chance of exploitation and an attacker would expect reliable, repeatable successful execution. This attack would not require much preparation and would only need the vulnerability to exist for an attempted attack. These kind of attacks should be patched as soon as possible.

Microsoft Office SharePoint
2

CVE-2020-17120
CVE-2020-17089

Microsoft SharePoint Information Disclosure Vulnerability
Microsoft SharePoint Elevation of Privilege Vulnerability

Important

3/5 - This type of attack would require some type of user interaction but with phishing and credential stuffing becoming a very large practice these shouldn't go ignored. 

Microsoft Office Sharepoint
1

CVE-2020-17122

Microsoft SharePoint Spoofing Vulnerability

Moderate

3/5 - This is a spoofing attack which would require a user to be convinced of authenticity, but with phishing and credential stuffing becoming a very large practice these shouldn't go ignored.

Microsoft Windows
7

CVE-2020-17136
CVE-2020-16996
CVE-2020-17138
CVE-2020-17092
CVE-2020-17139
CVE-2020-17103
CVE-2020-17134

Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Kerberos Security Feature Bypass Vulnerability
Windows Error Reporting Information Disclosure Vulnerability
Windows Network Connections Service Elevation of Privilege Vulnerability
Windows Overlay Filter Security Feature Bypass Vulnerability

Important

3/5 - This requires local/SSH/User interaction which in a best practice configured environment shouldn't be a risk however phishing and credential stuffing becoming a very large practice these shouldn't go ignored. 

Microsoft Windows DNS
1

ADV200013

Microsoft Guidance for Addressing Spoofing Vulnerability in DNS Resolver

Important 

3/5 - A type of DNS poisoning attack. This is resolved by modifying DNS registry config. 

Visual Studio
4

CVE-2020-17148
CVE-2020-17159
CVE-2020-17156
CVE-2020-17150

Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability
Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability
Visual Studio Remote Code Execution Vulnerability

Important 

3/5 - Classified as important by Microsoft, so worth getting on your machines if applicable, and once tested fully.

Windows Backup Engine
7

CVE-2020-16960
CVE-2020-16958
CVE-2020-16959
CVE-2020-16961
CVE-2020-16964
CVE-2020-16963
CVE-2020-16962

Windows Backup Engine Elevation of Privilege Vulnerability

Important 

3/5 - Classified as important by Microsoft, so worth getting on your machines if applicable, and once tested fully.

Windows Error Reporting
1

CVE-2020-17094

Windows Error Reporting Information Disclosure Vulnerability

Important

3/5 - Classified as important by Microsoft, so worth getting on your machines if applicable, and once tested fully.

Windows Hyper-V
1

CVE-2020-17095

Hyper-V Remote Code Execution Vulnerability

Critical 

4/5 - Classified as Critical so should be deployed when possible.

Windows Lock Screen
1

CVE-2020-17099

Windows Lock Screen Security Feature Bypass Vulnerability

Important

3/5 - This requires local/User interaction which in a best practice configured environment shouldn't be a risk however phishing and credential stuffing becoming a very large practice these shouldn't go ignored. 

Windows Media
1

CVE-2020-17097

Windows Digital Media Receiver Elevation of Privilege Vulnerability

Important

3/5 - Classified as important by Microsoft, so worth getting on your machines if applicable, and once tested fully.

Windows SMB
2

CVE-2020-17096
CVE-2020-17140

Windows NTFS Remote Code Execution Vulnerability
Windows SMB Information Disclosure Vulnerability

Important

3/5 - This particular vulnerability is complex and time consuming to setup, that is to say that this cannot be exploited at will and requires planning or sustantial preparation to accomplish.