December 2020 Patch Tuesday – 58 Vulnerabilities, 9 Critical, Windows Exchange, Hyper-V, SharePoint, Adobe

Animesh Jain

This month’s Microsoft Patch Tuesday addresses 58 vulnerabilities with 9 of them labeled as Critical. The 9 Critical vulnerabilities cover Exchange, SharePoint, Hyper-V, Chakra Scripting, and several other workstation vulnerabilities. Adobe released patches today for Experience Manager, Prelude, Lightroom and pre-notification security advisory for Acrobat and Reader.

Workstation Patches

Today’s Patch Tuesday fixes vulnerabilities that would impact workstations. The Office, Edge, Chakra vulnerabilities should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.

Microsoft Exchange RCE

Microsoft patched five Remote Code Execution vulnerabilities in Exchange (CVE-2020-17141, CVE-2020-17142, CVE-2020-17144, CVE-2020-17117, CVE-2020-17132), which would allow an attacker to run code as system by sending a malicious email. Microsoft does rank them as “Exploitation Less Likely,” but due to the open attack vector, these patches should be prioritized on all Exchange Servers.

SharePoint RCE

Microsoft patched two RCEs (CVE-2020-17121 and CVE-2020-17118) in SharePoint. CVE-2020-17121 allows an authenticated attacker to gain access to create a site and execute code remotely within the kernel. Because of this, it is highly recommended to prioritize these patches across all SharePoint deployments.

Hyper-V RCE

Microsoft also patched an RCE vulnerability in Hyper-V (CVE-2020-17095) which allows an attacker to run malicious programs on Hyper-V virtual machine to execute arbitrary code on the host system when it fails to properly validate vSMB packet data. This should be prioritized on all Hyper-V systems.

Windows NTFS RCE

While listed as Important, there is a RCE vulnerability (CVE-2020-17096) in Microsoft Windows. A local attacker could exploit this vulnerability to elevate the attacker’s privileges or a remote attacker with SMBv2 access to affected system could send malicious requests over the network.

Windows Lock Screen Security Bypass

An important vulnerability is patched by Microsoft (CVE-2020-17099) where an attacker with physical access to the target system could perform actions on a locked system, thereby executing code from Windows lock screen in the context of the active user session. This patch should be prioritized across all Windows devices.

Adobe

Adobe issued patches today covering multiple vulnerabilities in Adobe Experience Manager, Lightroom, Prelude and Pre-notification Security Advisory for Acrobat and Reader. The patches for Experience Manager and Acrobat/Reader are labeled as Priority 2 , while the remaining patches are set to Priority 3.

While none of the vulnerabilities disclosed in Adobe’s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed.

About Patch Tuesday

Patch Tuesday QIDs are published at Security Alerts, typically late in the evening of Patch Tuesday.

Show Comments (1)

Leave a Reply to QM_SSJ4 Cancel reply

Your email address will not be published. Required fields are marked *

  1. Can you explain your take on the Exchange Vulnerabilities that will “allow an attacker to run code as system by sending a malicious email”?

    Other sources indicate Authentication is needed prior which means a compromise of a Users’ mailbox. Microsoft’s own CVSS for CVE 2020 17132 also indicates privileges required : High.