[ad_1]
Microsoft today issued its latest batch of security updates for Windows PC in 2020, ending the year with a relatively light patch load. Nine of the 58 security vulnerabilities addressed this month earned Microsoft’s most severe “critical” label, meaning that they can be abused by malware or criminals to take remote control of PCs without the help of users.
Fortunately, it does not appear that any of the flaws fixed this month are being actively exploited, nor have any of them been publicly detailed before today.
Critical bits reside in updates for Microsoft Exchange Server, Sharepoint serverY Windows 10 Y Server 2016 systems. Additionally, Microsoft published an advisory on how to minimize the risk of a DNS spoofing weakness in Windows Server 2008 through 2019.
Some of the “major” subcritical flaws that were addressed this month are likely worth a quick patch in enterprise environments as well, including a trio of updates that address security issues with Microsoft Office.
“Given the speed with which attackers often weaponize Microsoft Office vulnerabilities, these should be prioritized in patching,” he said. Allan liska, Senior Security Architect at Future engraving. “The vulnerabilities, if exploited, would allow an attacker to execute arbitrary code on the victim’s machine. These vulnerabilities affect Microsoft Excel 2013 to 2019, Microsoft 365 32-bit and 64-bit versions, Microsoft Office 2019 32-bit and 64-bit versions, and Microsoft Excel for Mac 2019. “
We also learned this week that Redmond quietly addressed a terrifying “zero click” vulnerability Microsoft Teams platform that would have allowed anyone to execute the code of their choice just by sending the target a specially crafted chat message to Teams users. The bug was cross-platform, meaning it could also have been used to deliver malicious code to people using Teams on non-Windows devices.
Investigator Oskars Vegeris said in a proof-of-concept post to Github that it reported the flaw to Microsoft in late August, but that Microsoft did not assign the bug a Common Vulnerabilities and Exposure (CVE) rating because it has a policy of not doing so for bugs that can be fixed from Microsoft without user interaction.
According to Vegeris, Microsoft addressed the Teams flaw in late October. But he said the bug they fixed was the first of five zero- or one-click remote code execution flaws he found and reported in Teams. Asked via LinkedIn, Vegeris declined to say whether Microsoft has already addressed the remaining Teams issues.
Separately, Adobe issued security updates for your Prelude, Experience manager Y Lightroom software. There were no security updates for Adobe Flash Player, which is appropriate considering that Adobe will stop using the program at the end of the year. Microsoft is taking steps to remove Flash from its Windows browsers, and Google and Firefox already block Flash by default.
It’s a good idea for Windows users to get into the habit of updating at least once a month, but for regular users (read: non-businesses) it’s generally safe to wait a few days until patches are released, so Microsoft has time . to remove the cracks in the new armor.
But before updating, Please make sure you have backed up your system and / or important files. It is not uncommon for a Windows update package to stain the system or prevent it from starting properly, and some updates have been known to delete or corrupt files.
So do yourself a favor and make a backup before installing any patches. Windows 10 even has a few tools built in to help you get it done, either by file / folder or by making a full, bootable copy of your hard drive in one go.
And if you want to make sure Windows has been set to pause the update so that you can back up your files and / or system before the operating system decides to reboot and install patches on its own schedule, check out this guide. .
As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; There’s a better chance that even other readers have experienced the same thing and can chime in here with some helpful advice.
Tags: adobe, Allan Liska, Microsoft Office, Microsoft Patch Tuesday December 2020, Microsoft Teams, Oskars Vegeris, Future Recorded
This entry was posted on Tuesday, December 8, 2020 at 6:47 pm and is filed under Security Tools, Time to Patch. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.
