Microsoft on Tuesday unveiled fixes for 58 recently learned security flaws spanning as quite a few as 11 products and solutions and solutions as portion of its ultimate Patch Tuesday of 2020, proficiently bringing their CVE full to 1,250 for the 12 months.
Of these 58 patches, 9 are rated as Critical, 46 are rated as Crucial, and 3 are rated Moderate in severity.
The December security release addresses issues in Microsoft Windows, Edge browser, ChakraCore, Microsoft Business, Trade Server, Azure DevOps, Microsoft Dynamics, Visual Studio, Azure SDK, and Azure Sphere.
The good news is, none of these flaws this month have been reported as publicly known or currently being actively exploited in the wild.
The fixes for December concern a amount of distant code execution (RCE) flaws in Microsoft Trade (CVE-2020-17132), SharePoint (CVE-2020-17118 and CVE-2020-17121), Excel (CVE-2020-17123), and Hyper-V virtualization software package (CVE-2020-17095), as properly as a patch for a security feature bypass in Kerberos (CVE-2020-16996), and a selection of privilege escalation flaws in Windows Backup Engine and Windows Cloud Information Mini Filter Driver.
CVE-2020-17095 also carries the best CVSS score of 8.5 between all vulnerabilities resolved in this month’s release.
“To exploit this vulnerability, an attacker could run a specially crafted application on a Hyper-V visitor that could lead to the Hyper-V host operating system to execute arbitrary code when it fails to properly validate vSMB packet knowledge,” Microsoft famous.
Moreover involved as element of this month’s release is an advisory for a DNS cache poisoning vulnerability (CVE-2020-25705) identified by security scientists from Tsinghua University and the University of California previous month.
Dubbed a Side-channel AttackeD DNS attack (or Unfortunate DNS attack), the flaw could allow an attacker to spoof the DNS packet, which can be cached by the DNS Forwarder or the DNS Resolver, thereby re-enabling DNS cache poisoning assaults.
To mitigate the risk, Microsoft suggests a Registry workaround that will involve altering the optimum UDP packet sizing to 1,221 bytes (4C5 Hexadecimal).
“For responses greater than 4C5 or 1221, the DNS resolver would now switch to TCP,” the Windows maker stated in its advisory.
Given that the attack depends on sending spoofed UDP (Person Datagram Protocol) messages to defeat resource port randomization for DNS requests, applying the tweak will result in much larger DNS queries to switch to TCP, so mitigating the flaw.
It truly is hugely advised that Windows consumers and procedure directors apply the latest security patches to resolve the threats linked with these issues.
To put in the most recent security updates, Windows end users can head to Commence > Options > Update & Security > Windows Update, or by picking Check for Windows updates.
Observed this posting interesting? Follow THN on Facebook, Twitter and LinkedIn to read extra special written content we publish.