Microsoft Patches Just 58 CVEs in Light December Update

  • Microsoft distribute some festive cheer among sysadmins this month with a Patch Tuesday only around half as huge as most of its updates this year, repairing just 58 CVEs.

    Of people, nine were being rated critical, with CVE-2020-17132 singled out by Recorded Foreseeable future senior security architect Allan Liska as a precedence.

    “The vulnerability impacts Microsoft Trade 2013 through 2019 and needs the attacker to be authenticated. Unusually, Microsoft does not incorporate an attack circumstance in the description other than to say the vulnerability is the final result of inappropriate validation of cmdlet (light-weight commands made use of in PowerShell) arguments,” he explained.

    “One product of note: Microsoft thanked researchers from three different businesses for reporting this vulnerability, which implies it is probably easy to locate and exploit. A fourth researcher described CVE-2020-17142, a similar vulnerability in Microsoft Exchange (influencing cmdlets).”

    Liska extra that sysadmins must also prioritize CVE-2020-17117, a further RCE bug in Microsoft Exchange which also has an effect on variations 2013-2019.

    The other critical disclosures include SharePoint, Hyper-V, Chakra Scripting and numerous other workstation vulnerabilities.

    Liska also pointed to several RCE bugs in Excel which could allow attackers to execute arbitrary code on a victim’s machine: CVE-2020-17122, CVE-2020-17123, CVE-2020-17125, CVE-2020-17127, CVE-2020-17128, CVE-2020-17129 and CVE-2020-17130.

    “Microsoft lists all of these vulnerabilities as Essential fairly than Critical, but offered the pace with which attackers usually weaponize Microsoft Office environment vulnerabilities, these need to be prioritized in patching,” he argued.

    Microsoft also issued steerage to address vulnerabilities in DNS resolver as section of a new advisory, ADV200013.

    “The vulnerability is a spoofing vulnerability in DNS resolver that could make it possible for an attacker to exploit a DNS cache poisoning caused by IP fragmentation,” explained Ivanti senior product or service manager, Todd Schell. “An attacker could spoof the DNS packet which can be cached by the DNS forwarder or the DNS resolver. A workaround for configuring DNS servers is outlined in the advisory.”

    Not to be outdone, Adobe preset 14 vulnerabilities in Adobe Reader this month, four of which had been critical.