Microsoft Patches Just 58 CVEs in Light December Update

Microsoft spread some festive cheer among sysadmins this month with a Patch Tuesday only around half as large as most of its updates this year, fixing just 58 CVEs.

Of those, nine were rated critical, with CVE-2020-17132 singled out by Recorded Future senior security architect Allan Liska as a priority.

“The vulnerability impacts Microsoft Exchange 2013 through 2019 and requires the attacker to be authenticated. Unusually, Microsoft does not include an attack scenario in the description other than to say the vulnerability is the result of improper validation of cmdlet (lightweight commands used in PowerShell) arguments,” he explained.

“One item of note: Microsoft thanked researchers from three different organizations for reporting this vulnerability, which means it is likely easy to locate and exploit. A fourth researcher reported CVE-2020-17142, a similar vulnerability in Microsoft Exchange (affecting cmdlets).”

Liska added that sysadmins should also prioritize CVE-2020-17117, another RCE bug in Microsoft Exchange which also affects versions 2013-2019.

The other critical disclosures cover SharePoint, Hyper-V, Chakra Scripting and several other workstation vulnerabilities.

Liska also pointed to several RCE bugs in Excel which could allow attackers to execute arbitrary code on a victim’s machine: CVE-2020-17122, CVE-2020-17123, CVE-2020-17125, CVE-2020-17127, CVE-2020-17128, CVE-2020-17129 and CVE-2020-17130.

“Microsoft lists all of these vulnerabilities as Important rather than Critical, but given the speed with which attackers often weaponize Microsoft Office vulnerabilities, these should be prioritized in patching,” he argued.

Microsoft also issued guidance to address vulnerabilities in DNS resolver as part of a new advisory, ADV200013.

“The vulnerability is a spoofing vulnerability in DNS resolver that could allow an attacker to exploit a DNS cache poisoning caused by IP fragmentation,” explained Ivanti senior product manager, Todd Schell. “An attacker could spoof the DNS packet which can be cached by the DNS forwarder or the DNS resolver. A workaround for configuring DNS servers is outlined in the advisory.”

Not to be outdone, Adobe fixed 14 vulnerabilities in Adobe Reader last month, four of which were critical. On Wednesday it released a further advisory fixing an "important" bug (CVE-2020-29075) affecting various versions of Reader and Acrobat.

What’s Hot on Infosecurity Magazine?