Patch Tuesday: December 2020

Clock with Time to Update on sticky note

The second Tuesday of the month has arrived. We all know what that means. We are back today with the Microsoft Patch Tuesday updates for December 2020.

This month, Microsoft has fixed 58 vulnerabilities of which 22 are classified as remote code execution (RCE) vulnerabilities. These RCE vulnerabilities are the ones that should be addressed as soon as possible since they could be exploited via the internet without user interaction. Pay particular attention to the RCE bugs that affect Microsoft Exchange, SharePoint and Hyper-V.

When it comes to severity, 9 of the vulnerabilities are “Critical” affecting Microsoft Exchange Server (2013, 2016, 2019), Microsoft SharePoint, Dynamics 365 for Finance and Operations, Windows Server (2016 and 2019), Windows 10, ChakraCore and Microsoft Edge.

48 of the vulnerabilities are classified as “Important” and two others as “Moderate”. The December Patch Tuesday patches do not remediate any zero-day vulnerabilities. The CVE details for the critical vulnerabilities are listed below:

IDTitleRating
CVE-2020-17095Hyper-V Remote Code Execution VulnerabilityCritical
CVE-2020-17117  Microsoft Exchange Remote Code Execution VulnerabilityCritical
CVE-2020-17118 Microsoft SharePoint Remote Code Execution Vulnerability Critical
CVE-2020-17121 Microsoft SharePoint Remote Code Execution VulnerabilityCritical
CVE-2020-17131 Chakra Scripting Engine Memory Corruption Vulnerability Critical
CVE-2020-17132 Microsoft Exchange Remote Code Execution Vulnerability Critical
CVE-2020-17142 Microsoft Exchange Remote Code Execution Vulnerability Critical
CVE-2020-17152 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution VulnerabilityCritical
CVE-2020-17158 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability   Critical

Here are the release notes for the December 2020 security updates.

We recommend that all critical patches be deployed within 30 days of release. For detailed information on all 58 vulnerabilities, please visit Microsoft’s Security Update Guide page.


All About Patch Tuesday

Any individual that has spent time on a personal computer knows what an update or patch is. A patch is a set of changes or updates done to a computer program or application — everything from the operating system (OS) to business apps and browsers. This is mostly done to fix a software bug or error or to provide new features and enhancements. Patching of software is important since security patches address software vulnerabilities that cybercriminals might exploit to gain unauthorized access to your device and your data.

What Is Patch Tuesday?

Microsoft Patch Tuesday is the second Tuesday of every month on which Microsoft releases security-related updates for its Windows OS, browsers and business applications. The other updates, not related to security, are released on the fourth Tuesday of every month. Sometimes, Microsoft releases an out-of-band (OOB) update for an emergency security issue that is not published specifically on the second Tuesday, but could be published on any day of the month.

When Did Patch Tuesday Begin?

Patch Tuesday was introduced by Microsoft in October 2003 to mainly reduce the cost of distributing patches. Tuesday was specifically chosen as the optimal day of the week so as to allow users to apply patches over the week. Monday was left free to address any issues that arose over the preceding weekend.

Severity Rating System for Vulnerabilities

To help customers understand the importance of applying a particular patch, Microsoft has published a severity rating system that rates each vulnerability according to the worst theoretical outcome should that vulnerability be exploited.

RatingDescription
CriticalIt is recommended that critical updates are applied quickly. A vulnerability is rated critical when its exploitation could allow code execution without user interaction.
ImportantA vulnerability that could result in the compromise of confidentiality and integrity of user data. Microsoft recommends that customers apply important updates at the earliest opportunity.
ModerateA vulnerability that is mitigated to a significant degree by certain factors such as default configuration, auditing and authentication requirements. Microsoft recommends that customers consider applying the security update.
LowA vulnerability that is extremely difficult to exploit or has minimal impact.

Patch Tuesday November 2020 Updates

On Tuesday, November 10, 2020, Microsoft released its monthly set of software security patches. This month, they have remediated 112 software vulnerabilities. Among these, Microsoft provided a patch for a zero-day vulnerability, CVE-2020-17087, Windows Kernel Local Elevation of Privilege Vulnerability, which has already been exploited “in the wild.”  The exploit works in conjunction with a Google Chrome zero-day vulnerability, as described in this ZDNet article.

The Chrome zero-day vulnerability has been patched in Chrome version 86.0.4240.111. The Windows vulnerability affects all currently supported versions of Windows, including Windows 10 and Windows Server.

Out of the 112 vulnerabilities, there are 24 that can allow remote code execution (RCE) exploits in a number of different Microsoft products, and 17 are rated “critical,” impacting the following:

  • Windows Server, Version 20H2 (Server Core Installation)
  • Raw Image Extension
  • Microsoft Edge (EdgeHTML-based)
  • Internet Explorer 11
  • HEVC Video Extensions
  • HEIF Image Extension
  • Azure Sphere and
  • AV1 Video Extension

The CVE details of the critical vulnerabilities are listed below:

IDTitleRating
CVE-2020-16988 Azure Sphere Elevation of Privilege VulnerabilityCritical
CVE-2020-17042 Windows Print Spooler Remote Code Execution Vulnerability Critical
CVE-2020-17048Chakra Scripting Engine Memory Corruption Vulnerability Critical
CVE-2020-17051 Windows Network File System Remote Code Execution VulnerabilityCritical
CVE-2020-17052 Scripting Engine Memory Corruption Vulnerability Critical
CVE-2020-17053 Internet Explorer Memory Corruption Vulnerability Critical
CVE-2020-17058 Microsoft Browser Memory Corruption Vulnerability Critical
CVE-2020-17078Raw Image Extension Remote Code Execution VulnerabilityCritical
CVE-2020-17079 Raw Image Extension Remote Code Execution Vulnerability  Critical
CVE-2020-17082 Raw Image Extension Remote Code Execution Vulnerability Critical
CVE-2020-17101 HEIF Image Extensions Remote Code Execution Vulnerability Critical
CVE-2020-17105 AV1 Video Extension Remote Code Execution Vulnerability Critical
CVE-2020-17106 HEVC Video Extensions Remote Code Execution Vulnerability Critical
CVE-2020-17107 HEVC Video Extensions Remote Code Execution Vulnerability Critical
CVE-2020-17108HEVC Video Extensions Remote Code Execution Vulnerability Critical
CVE-2020-17109 HEVC Video Extensions Remote Code Execution Vulnerability Critical
CVE-2020-17110 HEVC Video Extensions Remote Code Execution Vulnerability Critical

Here are the release notes for the November 2020 security updates.

We recommend that critical patches be deployed within 30 days of release. For more information on all 112 vulnerabilities, visit Microsoft’s Security Update Guide page.


Patch Tuesday October 2020 Updates

Microsoft provides Patch Tuesday updates in its Security Update Guide portal. Each update also comes with a set of release notes. (See this month’s release notes at the bottom of this blog.)

The Common Vulnerabilities and Exposure (CVE) ID is a format in which each vulnerability is disclosed and cataloged in the National Vulnerability Database (NVD). Vulnerabilities in the NVD have a criticality rating ranging from 1 (lowest) to 10 (highest).

For the October 2020 Patch Tuesday, a total of 87 CVEs were released, with 11 of them rated “Critical.” The October security updates are for the following Microsoft software:

  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Microsoft JET Database Engine
  • Azure Functions
  • Open Source Software
  • Microsoft Exchange Server
  • Visual Studio
  • PowerShellGet
  • Microsoft .NET Framework
  • Microsoft Dynamics
  • Adobe Flash Player
  • Microsoft Windows Codecs Library

Below are the CVE details of the “Critical” vulnerabilities in this month’s update.

IDTitleRatingDescription
CVE-2020-16891Windows Hyper-V Remote Code Execution VulnerabilityCriticalA remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system.
CVE-2020-16898Windows TCP/IP Remote Code Execution VulnerabilityCriticalA remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets.
CVE-2020-16911GDI+ Remote Code Execution VulnerabilityCriticalA remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory.
CVE-2020-16915Media Foundation Memory Corruption VulnerabilityCriticalA memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.
CVE-2020-16923Microsoft Graphics Components Remote Code Execution VulnerabilityCriticalA remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory.
CVE-2020-16947Microsoft Outlook Remote Code Execution VulnerabilityCriticalA remote code execution vulnerability exists in Microsoft Outlook software when the software fails to properly handle objects in memory.
CVE-2020-16951Microsoft SharePoint Remote Code Execution VulnerabilityCriticalA remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package.
CVE-2020-16952Microsoft SharePoint Remote Code Execution VulnerabilityCriticalA remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package.
CVE-2020-16967Windows Camera Codec Pack Remote Code Execution VulnerabilityCriticalA remote code execution vulnerability exists when the Windows Camera Codec Pack improperly handles objects in memory.
CVE-2020-16968Windows Camera Codec Pack Remote Code Execution VulnerabilityCriticalA remote code execution vulnerability exists when the Windows Camera Codec Pack improperly handles objects in memory.
CVE-2020-17003Base3D Remote Code Execution VulnerabilityCriticalA remote code execution vulnerability exists when the Base3D rendering engine improperly handles memory.

The complete details of all 87 October 2020 security updates can be found on the Microsoft’s Security Update Guide page. The release notes can be found here as well.

We highly recommend that you apply these patches at the earliest, within 30 days of release at the latest.

Learn more about patching in Kaseya VSA here.

Hacker using a laptop - cybersecurity

Microsoft Windows Netlogon Vulnerability – Patch Before You Lose Control Over Your Domain

In August 2020, Microsoft released security patches for a critical vulnerability CVE-2020-1472, also dubbed “Zerologon,” to be deployed on ActiveRead More

2020 IT Operations Survey Results - Highlighs and Key Takeaways - Watch Now
2020 MSP Benchmark Survey Report

Archives

Categories