Windows

Microsoft December 2020 Patch Tuesday fixes 58 vulnerabilities

Patch Tuesday

Today is Microsoft’s December 2020 Patch Tuesday, and Windows administrators will be scrambling to put out fires, so be kind to them.

With the December 2020 Patch Tuesday security updates release, Microsoft has released fixes for 58 vulnerabilities and one advisory for Microsoft products. Of the 58 vulnerabilities fixed today, nine are classified as Critical, 48 as Important, and two as Moderate.

There are no zero-day or previously disclosed vulnerabilities fixed in the December 2020 updates.

For information about the non-security Windows updates, you can read about today’s Windows 10 KB4592449 & KB4592438 cumulative updates.

Guidance on disclosed DNS cache poisoning

Included in today’s Patch Tuesday updates is an advisory for a DNS cache poisoning vulnerability discovered by security researchers from Tsinghua University and the University of California.

“Microsoft is aware of a vulnerability involving DNS cache poisoning caused by IP fragmentation that affects Windows DNS Resolver. An attacker who successfully exploited this vulnerability could spoof the DNS packet which can be cached by the DNS Forwarder or the DNS Resolver,” Microsoft ADV 200013 explains.

To resolve this vulnerability, administrators can modify the Registry to change the maximum UDP packet size to 1,221 bytes. For DNS requests greater than 1,221 bytes, the DNS resolver will switch to TCP connections.

You can read more about these mitigations in our dedicated ‘Microsoft issues guidance for DNS cache poisoning vulnerability‘ article.

Vulnerabilities of interest

While there were no zero-days this month, there were quite a few vulnerabilities that are interesting.

Recent security updates from other companies

Other vendors who released security updates in October include:

The December 2020 Patch Tuesday Security Updates

Below is the full list of resolved vulnerabilities and released advisories in the December 2020 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here.

Tag CVE ID CVE Title Severity
Azure DevOps CVE-2020-17145 Azure DevOps Server and Team Foundation Services Spoofing Vulnerability Important
Azure DevOps CVE-2020-17135 Azure DevOps Server Spoofing Vulnerability Important
Azure SDK CVE-2020-17002 Azure SDK for C Security Feature Bypass Vulnerability Important
Azure SDK CVE-2020-16971 Azure SDK for Java Security Feature Bypass Vulnerability Important
Azure Sphere CVE-2020-17160 Azure Sphere Security Feature Bypass Vulnerability Important
Microsoft Dynamics CVE-2020-17147 Dynamics CRM Webclient Cross-site Scripting Vulnerability Important
Microsoft Dynamics CVE-2020-17133 Microsoft Dynamics Business Central/NAV Information Disclosure Important
Microsoft Dynamics CVE-2020-17158 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability Critical
Microsoft Dynamics CVE-2020-17152 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability Critical
Microsoft Edge CVE-2020-17153 Microsoft Edge for Android Spoofing Vulnerability Moderate
Microsoft Edge CVE-2020-17131 Chakra Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Exchange Server CVE-2020-17143 Microsoft Exchange Information Disclosure Vulnerability Important
Microsoft Exchange Server CVE-2020-17144 Microsoft Exchange Remote Code Execution Vulnerability Important
Microsoft Exchange Server CVE-2020-17141 Microsoft Exchange Remote Code Execution Vulnerability Important
Microsoft Exchange Server CVE-2020-17117 Microsoft Exchange Remote Code Execution Vulnerability Critical
Microsoft Exchange Server CVE-2020-17132 Microsoft Exchange Remote Code Execution Vulnerability Critical
Microsoft Exchange Server CVE-2020-17142 Microsoft Exchange Remote Code Execution Vulnerability Critical
Microsoft Graphics Component CVE-2020-17137 DirectX Graphics Kernel Elevation of Privilege Vulnerability Important
Microsoft Graphics Component CVE-2020-17098 Windows GDI+ Information Disclosure Vulnerability Important
Microsoft Office CVE-2020-17130 Microsoft Excel Security Feature Bypass Vulnerability Important
Microsoft Office CVE-2020-17128 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office CVE-2020-17129 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office CVE-2020-17124 Microsoft PowerPoint Remote Code Execution Vulnerability Important
Microsoft Office CVE-2020-17123 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office CVE-2020-17119 Microsoft Outlook Information Disclosure Vulnerability Important
Microsoft Office CVE-2020-17125 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office CVE-2020-17127 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office CVE-2020-17126 Microsoft Excel Information Disclosure Vulnerability Important
Microsoft Office CVE-2020-17122 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office SharePoint CVE-2020-17115 Microsoft SharePoint Spoofing Vulnerability Moderate
Microsoft Office SharePoint CVE-2020-17120 Microsoft SharePoint Information Disclosure Vulnerability Important
Microsoft Office SharePoint CVE-2020-17121 Microsoft SharePoint Remote Code Execution Vulnerability Critical
Microsoft Office SharePoint CVE-2020-17118 Microsoft SharePoint Remote Code Execution Vulnerability Critical
Microsoft Office SharePoint CVE-2020-17089 Microsoft SharePoint Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-17136 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-16996 Kerberos Security Feature Bypass Vulnerability Important
Microsoft Windows CVE-2020-17138 Windows Error Reporting Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-17092 Windows Network Connections Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-17139 Windows Overlay Filter Security Feature Bypass Vulnerability Important
Microsoft Windows CVE-2020-17103 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-17134 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important
Microsoft Windows DNS ADV200013 Microsoft Guidance for Addressing Spoofing Vulnerability in DNS Resolver Important
Visual Studio CVE-2020-17148 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability Important
Visual Studio CVE-2020-17159 Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability Important
Visual Studio CVE-2020-17156 Visual Studio Remote Code Execution Vulnerability Important
Visual Studio CVE-2020-17150 Visual Studio Code Remote Code Execution Vulnerability Important
Windows Backup Engine CVE-2020-16960 Windows Backup Engine Elevation of Privilege Vulnerability Important
Windows Backup Engine CVE-2020-16958 Windows Backup Engine Elevation of Privilege Vulnerability Important
Windows Backup Engine CVE-2020-16959 Windows Backup Engine Elevation of Privilege Vulnerability Important
Windows Backup Engine CVE-2020-16961 Windows Backup Engine Elevation of Privilege Vulnerability Important
Windows Backup Engine CVE-2020-16964 Windows Backup Engine Elevation of Privilege Vulnerability Important
Windows Backup Engine CVE-2020-16963 Windows Backup Engine Elevation of Privilege Vulnerability Important
Windows Backup Engine CVE-2020-16962 Windows Backup Engine Elevation of Privilege Vulnerability Important
Windows Error Reporting CVE-2020-17094 Windows Error Reporting Information Disclosure Vulnerability Important
Windows Hyper-V CVE-2020-17095 Hyper-V Remote Code Execution Vulnerability Critical
Windows Lock Screen CVE-2020-17099 Windows Lock Screen Security Feature Bypass Vulnerability Important
Windows Media CVE-2020-17097 Windows Digital Media Receiver Elevation of Privilege Vulnerability Important
Windows SMB CVE-2020-17096 Windows NTFS Remote Code Execution Vulnerability Important
Windows SMB CVE-2020-17140 Windows SMB Information Disclosure Vulnerability Important

 

Original Article