Microsoft has released the December 2020 Security updates that includes patches for 58 vulnerabilities, 9 of them rated Critical.
In all, the Microsoft security updates address vulnerabilities in the following products:
- Azure DevOps
- Azure SDK
- Azure Sphere
- ChakraCore
- Microsoft Dynamics
- Microsoft Edge (EdgeHTML-based)
- Microsoft Edge for Android
- Microsoft Exchange Server
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft Windows
- Visual Studio.
Microsoft has provided patches for each of the vulnerabilities and also summarized them in the December 2020 Security Updates Release Notes.
Readers can also check out more vulnerability and patch details in Microsoft’s Security Update Guide.
Critical vulnerabilities
Microsoft addressed 9 Critical vulnerabilities, to include remote code execution (RCE) vulnerabilities that cover Hyper-V, Exchange Server, SharePoint, Dynamics 365 (on-premise) and Chakra Scripting products.
In summary, the following Critical RCE vulnerabilities were patched:
- Hyper-V: CVE-2020-17095
- Exchange Server: CVE-2020-17117, CVE-2020-17132 and CVE-2020-17142
- Sharepoint: CVE-2020-17118 and CVE-2020-17121
- Dynamics 365 for Finance and Operations (on-premises): CVE-2020-17152 and CVE-2020-17158
- Chakra Scripting Engine: CVE-2020-17131.
Of special note, Microsoft confirmed an attacker could exploit CVE-2020-17095 to run a specially crafted application on a Hyper-V guest.
As a result, a successful attack could “cause the Hyper-V host operating system to execute arbitrary code when it fails to properly validate vSMB packet data.”
Windows NTFS RCE
Additionally, Microsoft addressed a Windows RCE vulnerability (CVE-2020-17096) in Microsoft Windows.
A local attacker with SMBv2 access to a vulnerable system could run a specially crafted application that would elevate the attacker’s privileges.
Microsoft also confirmed exploitation of this vulnerability rated Important is “more likely.”
Other patches
In a related note, Adobe also released a Prenotification Security Advisory for Adobe Acrobat and Reader (APSB20-75). Patches will be released the week of December 7, 2020.
OpenSSL also addressed a High risk vulnerability CVE-2020-1971 in certain OpenSSL versions that could result in Denial of Service condition if exploited.