December Patch Tuesday 2020 Fixes 58 Vulnerabilities
December Patch Tuesday has arrived with 58 security gaps remediated, including 22 remote code execution vulnerabilities.
December Patch Tuesday Arrives with 58 Fixes
To end the year, Microsoft has remediated 58 bugs including 9 Critical, 46 Important and 3 Moderate. Microsoft has fixed over 1,200 vulnerabilities to date, more than any other year.
Fixes this month included Microsoft Windows, Edge (Edge HTML-based), Chakra Core, Microsoft Office and Office Services and Web Apps, Exchange Server, Azure DevOps, Microsoft Dynamics, Visual Studio, Azure SDK, and Azure Sphere.
However, there were surprisingly no fixes for Internet Explorer — could there be a last minute out-of-band for December? We will have to wait and see.
There were just shy of half the fixes compared to November, which was a record high of 112 vulnerabilities.
There have also been Windows 7 and Windows Server 2008 (including R2) vulnerabilities for extended support subscribers. Windows 7 and Windows Server 2008 (including R2) both have 9 vulnerabilities: all Important.
Robert Brown, Director of Services for Syxsense said, “We were told there would not be any preview updates this month to reduce the holiday burden on IT departments, but we are surprised not to see any Internet Explorer fixes in here and only 1 for Edge. Stay vigilant as there may be last minute OOB updates before New Year.”
Top December Patches and Vulnerabilities
1. CVE-2020-17132 & CVE-2020-17142: Microsoft Exchange Remote Code Execution Vulnerability
CVSS Score 9.1 making this one of the top 3 highest vulnerabilities to prioritize this month. No countermeasure is available.
If a hacker can take over a single mailbox, they can take over the entire Exchange server. These two updates are the highest rated alongside several other fixes for Exchange so this should be your highest priority if you are still using Exchange.
Affects Exchange 2016 & 2019
Workaround: None
2. CVE-2020-17158: Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
CVSS score of 8.8 making this joint top 2 highest vulnerabilities to prioritize this month, no countermeasure is available
Exploitation: More Likely
Attack Complexity: Low
User Interaction: None
3. CVE-2020-17121: Microsoft SharePoint Remote Code Execution Vulnerability
CVSS score of 8.8 with no countermeasure
Exploitation: More Likely
Affects SharePoint 2010, 2013, 2016 & 2019
Attack Vector: In a network-based attack an attacker can gain access to create a site and could execute code remotely within the kernel.
Integrity: There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any / all files at will.
Tuearis is proactive.
Through our Threat and Vulnerability Management programs Tuearis is always looking for unpatched vulnerabilities in our client environments, even in third party softwares and other vulnerable devices on the network. Don't wait until a vulnerability becomes a breach to let us help secure your network.
We are dedicated to helping you REST SECURED.