Microsoft Wraps Up a Lighter Patch Tuesday for the Holidays

  • 9 critical bugs and 58 overall fixes mark the final scheduled security advisory of 2020.

    Microsoft has tackled 58 CVEs (nine of them critical) for its December 2020 Patch Tuesday update. This delivers the computing giant’s patch tally to 1,250 for the yr – very well further than 2019’s 840.

    This month’s security bugs affect Microsoft Windows, Edge (EdgeHTML-primarily based), ChakraCore, Microsoft Office environment and Place of work Services and Web Apps, Exchange Server, Azure DevOps, Microsoft Dynamics, Visual Studio, Azure SDK and Azure Sphere, in accordance to the update. None are outlined as publicly recognised or underneath lively attack. Also, no vulnerability was assigned a CVSSv3 severity rating of 9. or bigger.

    Critical Bug Breakdown

    A few of the critical flaws are uncovered in Microsoft Exchange (CVE-2020-17117, CVE-2020-17132 and CVE-2020-17142), all enabling distant code execution (RCE). 1 of these takes place owing to inappropriate validation of cmdlet arguments, according to Microsoft, which does not give an attack situation but does take note that the attacker needs be authenticated with privileges.

    “This indicates that if you just take in excess of someone’s mailbox, you can take over the whole Exchange server,” in accordance to Dustin Childs at Trend Micro’s Zero Working day Initiative (ZDI), producing in a Tuesday examination. “With all of the other Exchange bugs, undoubtedly prioritize your Exchange check and deployment.”

    Also on the Trade entrance, CVE-2020-17132 addresses a patch bypass for CVE-2020-16875, which was described and patched in September’s Patch Tuesday release. Even though not critical, it is of take note, Childs explained.

    Childs also flagged CVE-2020-17121, just one of two critical RCE bugs in Microsoft SharePoint (the other is CVE-2020-17118). At first documented by means of ZDI application, the bug could permit an authenticated consumer to execute arbitrary .Web code on an impacted server in the context of the SharePoint Web Application support account.

    “In its default configuration, authenticated SharePoint users are capable to make sites that offer all of the important permissions that are stipulations for launching an attack,” Childs explained. “Similar bugs patched previously this year received pretty a bit of focus. We suspect this one particular will, way too.”

    In point, the Sharepoint CVEs should choose patching precedence, Immersive Labs’ Kevin Breen, director of cyberthreat investigate, stated by means of email. “Both are rated as critical as they have RCE, and Sharepoint can be utilized like a watering hole inside of large businesses by an attacker,” he said. “All it takes is for a couple of weaponized documents to be placed for destructive code to distribute throughout an organization.”

    A further critical bug of notice is tracked as CVE-2020-17095, a Hyper-V RCE vulnerability that will allow an attacker to escalate privileges from code execution in a Hyper-V visitor to code execution on the Hyper-V host by passing invalid vSMB packet knowledge. The flaw carries the highest CVSS score in the update, coming in at 8.5, since no particular permissions are necessary to exploit it.

    “To exploit this vulnerability, an adversary could operate a customized application on a Hyper-V guest that would trigger the Hyper-V host running system to allow for arbitrary code execution when it fails to thoroughly validate vSMB packet info,” spelled out Automox researcher Jay Goodman, through email. “The vulnerability is existing on most builds of Windows 10 and Windows Server 2004 and forward.”

    Two post-authentication RCE flaws in Microsoft Dynamics 365 for Finance and Operations (on-premises) (CVE-2020-17158 and CVE-2020-17152) round out the critical patches, along with a memory-corruption issue in the Chakra Scripting Motor, which impacts the Edge browser (CVE-2020-17131).

    “Only one [of the critical-rated updates] (astonishingly) impacts the browser,” Childs mentioned. “That patch corrects a bug inside the JIT compiler. By undertaking actions in JavaScript, an attacker can result in a memory-corruption situation, which potential customers to code execution. The lack of browser updates could also be a aware conclusion by Microsoft to make certain a bad patch for a browser does not disrupt on the web searching all through the getaway year.”

    Even though it is a lighter than normal thirty day period for the quantity of patches, the regular move of critical RCE bugs existing a great deal of risk, reported Justin Knapp, researcher at Automox, by way of email.

    “Instead of owning to manipulate a user to simply click a malicious website link or attachment, negative actors simply have to target an unpatched system to obtain original obtain, at which issue a quantity of techniques can be employed to boost obtain to worthwhile assets,” he explained, referring to this month’s critical RCE complications. “It goes with no declaring that the speed at which an group can deploy these fixes will dictate the amount of risk they acquire on.”

    Other Bugs, Patching

    In addition to the critical bugs, a whole 46 of the bugs are rated as critical, and three are rated moderate in severity. The important bugs include 10 Business issues bugs impacting Outlook, PowerPoint and Excel — for these, Business 2019 versions for Mac do not have patches yet.

    “This is a guide-close to a 12 months that began with Microsoft addressing 49 CVEs in January of 2020, adopted by eight consecutive months with above 90 CVEs dealt with. In 2020, Microsoft introduced patches for above 1,200 CVEs,” Satnam Narang, principal research engineer, Tenable, advised Threatpost.

    Patching may possibly be far more tricky than ever heading forward. “One of the points that stands out is that Microsoft has taken out a great deal of the element they typically share with this kind of advisories,” Breen stated. “For me, this could direct to some issues. Patching is not as easy as just clicking an update button and security teams like to achieve a further comprehension of what they are performing. Rather, however, they are envisioned to operate with a lot less info.”

    Elsewhere, Adobe issued patches for flaws tied to 1 important-rated and 3 critical-severity CVEs, through its routinely scheduled December security updates.

    “While lighter than normal, the most serious permit for arbitrary code execution like 3 critical severity CVEs and a single much less severe (essential-rated) flaw recognized,” Nick Colyer, researcher from Automox stated. “The vacations current exceptional issues to security teams’ forthcoming out-of-office environment time and the severity of the vulnerabilities Adobe has dealt with are non-trivial from all those issues. It is significant to prioritize any key vulnerabilities all through holiday seasons to lower the menace floor exposed to would-be attackers.”

    Place Ransomware on the Operate: Save your spot for “What’s Up coming for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware earth and how to battle back.

    Get the newest from John (Austin) Merritt, Cyber Menace Intelligence Analyst at Electronic Shadows Limor Kessem, Executive Security Advisor, IBM Security and Israel Barak, CISO at Cybereason, on new kinds of assaults. Subjects will include the most risky ransomware danger actors, their evolving TTPs and what your organization desires to do to get ahead of the future, inescapable ransomware attack. Sign-up here for the Wed., Dec. 16 for this LIVE webinar.

    Reward Articles: Download our exceptional Free of charge Threatpost Insider Book, Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth.