Today is Microsoft’s December 2020 Patch Tuesday, and Windows administrators will be scrambling to put out fires, so be kind to them.
With the December 2020 Patch Tuesday security updates release, Microsoft has released fixes for 58 vulnerabilities and one advisory for Microsoft products. Of the 58 vulnerabilities fixed today, nine are classified as Critical, 48 as Important, and two as Moderate.
There are no zero-day or previously disclosed vulnerabilities fixed in the December 2020 updates.
For information about the non-security Windows updates, you can read about today’s Windows 10 KB4592449 & KB4592438 cumulative updates.
Guidance on disclosed DNS cache poisoning
Included in today’s Patch Tuesday updates is an advisory for a DNS cache poisoning vulnerability discovered by security researchers from Tsinghua University and the University of California.
“Microsoft is aware of a vulnerability involving DNS cache poisoning caused by IP fragmentation that affects Windows DNS Resolver. An attacker who successfully exploited this vulnerability could spoof the DNS packet which can be cached by the DNS Forwarder or the DNS Resolver,” Microsoft ADV 200013 explains.
To resolve this vulnerability, administrators can modify the Registry to change the maximum UDP packet size to 1,221 bytes. For DNS requests greater than 1,221 bytes, the DNS resolver will switch to TCP connections.
You can read more about these mitigations in our dedicated ‘Microsoft issues guidance for DNS cache poisoning vulnerability‘ article.
Vulnerabilities of interest
While there were no zero-days this month, there were quite a few vulnerabilities that are interesting.
- CVE-2020-17095 – Hyper-V Remote Code Execution Vulnerability: Allows malicous programs running in a Hyper-V VM to execute code on the Host.
- CVE-2020-17096 – Windows NTFS Remote Code Execution Vulnerability: Can be exploited locally to elevate permissions or remotely via SMBv2 to execute commands.
- CVE-2020-17099 – Windows Lock Screen Security Feature Bypass Vulnerability: Allows a local attacker to execute commands from a locked Windows device.
Recent security updates from other companies
Other vendors who released security updates in October include:
- Android’s December security updates were released yesterday.
- Apple released security updates for iCloud.
- Cisco released security updates for Security Manager vulnerabilities.
- D-Link VPN routers got patched for remote command injection bugs
- QNAP patched QTS vulnerabilities.
- SAP released its December 2020 security updates.
- VMware released security updates that resolve a zero-day reported by the NSA and see used by Russian state-sponsored hackers.
The December 2020 Patch Tuesday Security Updates
Below is the full list of resolved vulnerabilities and released advisories in the December 2020 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here.
| Tag | CVE ID | CVE Title | Severity |
|---|---|---|---|
| Azure DevOps | CVE-2020-17145 | Azure DevOps Server and Team Foundation Services Spoofing Vulnerability | Important |
| Azure DevOps | CVE-2020-17135 | Azure DevOps Server Spoofing Vulnerability | Important |
| Azure SDK | CVE-2020-17002 | Azure SDK for C Security Feature Bypass Vulnerability | Important |
| Azure SDK | CVE-2020-16971 | Azure SDK for Java Security Feature Bypass Vulnerability | Important |
| Azure Sphere | CVE-2020-17160 | Azure Sphere Security Feature Bypass Vulnerability | Important |
| Microsoft Dynamics | CVE-2020-17147 | Dynamics CRM Webclient Cross-site Scripting Vulnerability | Important |
| Microsoft Dynamics | CVE-2020-17133 | Microsoft Dynamics Business Central/NAV Information Disclosure | Important |
| Microsoft Dynamics | CVE-2020-17158 | Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability | Critical |
| Microsoft Dynamics | CVE-2020-17152 | Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability | Critical |
| Microsoft Edge | CVE-2020-17153 | Microsoft Edge for Android Spoofing Vulnerability | Moderate |
| Microsoft Edge | CVE-2020-17131 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical |
| Microsoft Exchange Server | CVE-2020-17143 | Microsoft Exchange Information Disclosure Vulnerability | Important |
| Microsoft Exchange Server | CVE-2020-17144 | Microsoft Exchange Remote Code Execution Vulnerability | Important |
| Microsoft Exchange Server | CVE-2020-17141 | Microsoft Exchange Remote Code Execution Vulnerability | Important |
| Microsoft Exchange Server | CVE-2020-17117 | Microsoft Exchange Remote Code Execution Vulnerability | Critical |
| Microsoft Exchange Server | CVE-2020-17132 | Microsoft Exchange Remote Code Execution Vulnerability | Critical |
| Microsoft Exchange Server | CVE-2020-17142 | Microsoft Exchange Remote Code Execution Vulnerability | Critical |
| Microsoft Graphics Component | CVE-2020-17137 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-17098 | Windows GDI+ Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2020-17130 | Microsoft Excel Security Feature Bypass Vulnerability | Important |
| Microsoft Office | CVE-2020-17128 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-17129 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-17124 | Microsoft PowerPoint Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-17123 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-17119 | Microsoft Outlook Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2020-17125 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-17127 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-17126 | Microsoft Excel Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2020-17122 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-17115 | Microsoft SharePoint Spoofing Vulnerability | Moderate |
| Microsoft Office SharePoint | CVE-2020-17120 | Microsoft SharePoint Information Disclosure Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-17121 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical |
| Microsoft Office SharePoint | CVE-2020-17118 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical |
| Microsoft Office SharePoint | CVE-2020-17089 | Microsoft SharePoint Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-17136 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-16996 | Kerberos Security Feature Bypass Vulnerability | Important |
| Microsoft Windows | CVE-2020-17138 | Windows Error Reporting Information Disclosure Vulnerability | Important |
| Microsoft Windows | CVE-2020-17092 | Windows Network Connections Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-17139 | Windows Overlay Filter Security Feature Bypass Vulnerability | Important |
| Microsoft Windows | CVE-2020-17103 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-17134 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important |
| Microsoft Windows DNS | ADV200013 | Microsoft Guidance for Addressing Spoofing Vulnerability in DNS Resolver | Important |
| Visual Studio | CVE-2020-17148 | Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability | Important |
| Visual Studio | CVE-2020-17159 | Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability | Important |
| Visual Studio | CVE-2020-17156 | Visual Studio Remote Code Execution Vulnerability | Important |
| Visual Studio | CVE-2020-17150 | Visual Studio Code Remote Code Execution Vulnerability | Important |
| Windows Backup Engine | CVE-2020-16960 | Windows Backup Engine Elevation of Privilege Vulnerability | Important |
| Windows Backup Engine | CVE-2020-16958 | Windows Backup Engine Elevation of Privilege Vulnerability | Important |
| Windows Backup Engine | CVE-2020-16959 | Windows Backup Engine Elevation of Privilege Vulnerability | Important |
| Windows Backup Engine | CVE-2020-16961 | Windows Backup Engine Elevation of Privilege Vulnerability | Important |
| Windows Backup Engine | CVE-2020-16964 | Windows Backup Engine Elevation of Privilege Vulnerability | Important |
| Windows Backup Engine | CVE-2020-16963 | Windows Backup Engine Elevation of Privilege Vulnerability | Important |
| Windows Backup Engine | CVE-2020-16962 | Windows Backup Engine Elevation of Privilege Vulnerability | Important |
| Windows Error Reporting | CVE-2020-17094 | Windows Error Reporting Information Disclosure Vulnerability | Important |
| Windows Hyper-V | CVE-2020-17095 | Hyper-V Remote Code Execution Vulnerability | Critical |
| Windows Lock Screen | CVE-2020-17099 | Windows Lock Screen Security Feature Bypass Vulnerability | Important |
| Windows Media | CVE-2020-17097 | Windows Digital Media Receiver Elevation of Privilege Vulnerability | Important |
| Windows SMB | CVE-2020-17096 | Windows NTFS Remote Code Execution Vulnerability | Important |
| Windows SMB | CVE-2020-17140 | Windows SMB Information Disclosure Vulnerability | Important |