[ad_1]
Microsoft today released 58 security fixes for more than 10 products and services, as part of the company’s monthly batch of security updates, known as Patch Tuesday.
There are fewer fixes this December compared to the more than 100 regular fixes Microsoft sends out each month, but this doesn’t mean the bugs are less serious.
More than a third of this month’s patches (22) are classified as remote code execution vulnerabilities (RCEs). These are security bugs that need to be addressed immediately, as they are easier to exploit, without user interaction, either over the Internet or over a local network.
This month, we have RCEs on Microsoft products like Windows NTFS, Exchange Server, Microsoft Dynamics, Excel, PowerPoint, SharePoint, Visual Studio, and Hyper-V.
The highest rated bugs and the most likely to be exploited are RCE bugs that affect Exchange Server (CVE-2020-17143, CVE-2020-17144, CVE-2020-17141, CVE-2020-17117 , CVE-2020-17132 and CVE-2020-17142) and SharePoint (CVE-2020-17118 and CVE-2020-17121).
It is recommended to patch them first, as Exchange and SharePoint systems are regularly connected to the Internet by their nature and are easier to attack as a result.
Another major bug fixed this month is also a bug in Hyper-V, Microsoft’s virtualization technology, which is used to host virtual machines. This bug, which can be exploited via a malicious SMB packet, could allow remote attackers to compromise virtualized sandbox environments, something Hyper-V was designed to protect.
Below are additional details about today’s Microsoft Patch Tuesday and security updates released by other technology companies:
- The official portal for Microsoft’s Security Updates Guide lists all security updates in a filterable table.
- ZDNet has published this file that lists all of this month’s security advisories on one page.
- Adobe security updates are detailed here.
- SAP security updates are available here.
- Intel security updates are available here.
- VMWare security updates are available here.
- Chrome 87 security updates are detailed here.
- Android security updates are available here.
| Label | CVE ID | CVE title |
|---|---|---|
| Microsoft Windows DNS | ADV200013 | Microsoft Guide to Addressing the Phishing Vulnerability in DNS Resolver |
| Azure DevOps | CVE-2020-17145 | Azure DevOps Server and Team Foundation Services spoofing vulnerability |
| Azure DevOps | CVE-2020-17135 | Azure DevOps server spoofing vulnerability |
| Azure SDK | CVE-2020-17002 | Azure SDK for C Security Features Bypass vulnerability |
| Azure SDK | CVE-2020-16971 | Azure SDK for Java security feature bypass vulnerability |
| Blue dial | CVE-2020-17160 | Azure Sphere security feature bypass vulnerability |
| Microsoft Dynamics | CVE-2020-17147 | Dynamics CRM Cross-Site Scripting Vulnerability |
| Microsoft Dynamics | CVE-2020-17133 | Microsoft Dynamics Business Central / NAV Information Disclosure |
| Microsoft Dynamics | CVE-2020-17158 | Microsoft Dynamics 365 for Finance and Operations (Local) Remote Code Execution Vulnerability |
| Microsoft Dynamics | CVE-2020-17152 | Microsoft Dynamics 365 for Finance and Operations (Local) Remote Code Execution Vulnerability |
| Microsoft Edge | CVE-2020-17153 | Microsoft Edge for Android Phishing Vulnerability |
| Microsoft Edge | CVE-2020-17131 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Exchange Server | CVE-2020-17143 | Microsoft Exchange Information Disclosure Vulnerability |
| Microsoft Exchange Server | CVE-2020-17144 | Microsoft Exchange Remote Code Execution Vulnerability |
| Microsoft Exchange Server | CVE-2020-17141 | Microsoft Exchange Remote Code Execution Vulnerability |
| Microsoft Exchange Server | CVE-2020-17117 | Microsoft Exchange Remote Code Execution Vulnerability |
| Microsoft Exchange Server | CVE-2020-17132 | Microsoft Exchange Remote Code Execution Vulnerability |
| Microsoft Exchange Server | CVE-2020-17142 | Microsoft Exchange Remote Code Execution Vulnerability |
| Microsoft Graphics Component | CVE-2020-17137 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2020-17098 | Windows GDI + Information Disclosure Vulnerability |
| Microsoft Office | CVE-2020-17130 | Microsoft Excel Security Feature Bypass Vulnerability |
| Microsoft Office | CVE-2020-17128 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-17129 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-17124 | Microsoft PowerPoint Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-17123 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-17119 | Microsoft Outlook Information Disclosure Vulnerability |
| Microsoft Office | CVE-2020-17125 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-17127 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-17126 | Microsoft Excel Information Disclosure Vulnerability |
| Microsoft Office | CVE-2020-17122 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office SharePoint | CVE-2020-17115 | Microsoft SharePoint Spoofing Vulnerability |
| Microsoft Office SharePoint | CVE-2020-17120 | Microsoft SharePoint Information Disclosure Vulnerability |
| Microsoft Office SharePoint | CVE-2020-17121 | Microsoft SharePoint Remote Code Execution Vulnerability |
| Microsoft Office SharePoint | CVE-2020-17118 | Microsoft SharePoint Remote Code Execution Vulnerability |
| Microsoft Office SharePoint | CVE-2020-17089 | Microsoft SharePoint elevation of privilege vulnerability |
| Microsoft Windows | CVE-2020-17136 | Windows Cloud Files Mini Filter Driver Elevation of privilege vulnerability |
| Microsoft Windows | CVE-2020-16996 | Kerberos Security Feature Bypass Vulnerability |
| Microsoft Windows | CVE-2020-17138 | Windows Bug Reporting Information Disclosure Vulnerability |
| Microsoft Windows | CVE-2020-17092 | Windows Network Connection Service Elevation of Privilege vulnerability |
| Microsoft Windows | CVE-2020-17139 | Windows Overlay Filter Security Feature Bypass Vulnerability |
| Microsoft Windows | CVE-2020-17103 | Windows Cloud Files Mini Filter Driver Elevation of privilege vulnerability |
| Microsoft Windows | CVE-2020-17134 | Windows Cloud Files Mini Filter Driver Elevation of privilege vulnerability |
| Visual study | CVE-2020-17148 | Visual Studio Remote Code Development Extension Remote Code Execution Vulnerability |
| Visual study | CVE-2020-17159 | Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability |
| Visual study | CVE-2020-17156 | Visual Studio Remote Code Execution Vulnerability |
| Visual study | CVE-2020-17150 | Visual Studio Code Remote Code Execution Vulnerability |
| Windows Backup Engine | CVE-2020-16960 | Windows Backup Engine Elevation of Privilege Vulnerability |
| Windows Backup Engine | CVE-2020-16958 | Windows Backup Engine Elevation of Privilege Vulnerability |
| Windows Backup Engine | CVE-2020-16959 | Windows Backup Engine Elevation of Privilege Vulnerability |
| Windows Backup Engine | CVE-2020-16961 | Windows Backup Engine Elevation of Privilege Vulnerability |
| Windows Backup Engine | CVE-2020-16964 | Windows Backup Engine Elevation of Privilege Vulnerability |
| Windows Backup Engine | CVE-2020-16963 | Windows Backup Engine Elevation of Privilege Vulnerability |
| Windows Backup Engine | CVE-2020-16962 | Windows Backup Engine Elevation of Privilege Vulnerability |
| Windows error report | CVE-2020-17094 | Windows Bug Reporting Information Disclosure Vulnerability |
| Windows Hyper-V | CVE-2020-17095 | Hyper-V Remote Code Execution Vulnerability |
| Windows lock screen | CVE-2020-17099 | Windows lock screen security feature bypasses vulnerability |
| Windows Media | CVE-2020-17097 | Windows Digital Media Receiver Elevation of Privilege Vulnerability |
| Windows SMB | CVE-2020-17096 | Windows NTFS Remote Code Execution Vulnerability |
| Windows SMB | CVE-2020-17140 | Windows SMB Information Disclosure Vulnerability |
