Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET!
Security|Windows 10|Windows Client OS

Patch Tuesday – December 2020

The end of the year has Microsoft patch less vulnerabilities than usual. Nevertheless, there are some important bugs that need to be installed. So, like every month, you should start testing the updates for deployment in your environment as soon as possible.

Windows and Windows Server

This month there’s just one critical vulnerability patched for Windows. An attacker could exploit a remote code execution (RCE) flaw with a specially crafted application on a Hyper-V guest. It could result in the host operating system running arbitrary code when it fails to properly validate vSMB packet data.

The remaining patches consist of 7 elevation of privilege (EoP) flaws rated important, 1 important RCE, and 2 important information disclosure bugs. Microsoft Edge (legacy) also gets a patch for a critical RCE vulnerability.

Microsoft issued a security advisory for the Windows DNS resolver where an attacker could spoof a DNS packet cached by the DNS forwarder or resolver. There’s no patch available now but Microsoft has published a workaround that involves adding a registry value to change the UDP buffer size for DNS and then restarting the DNS service. The workaround could force the DNS resolver to switch to TCP for large responses.

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

Exchange, SQL, and SharePoint Server

Microsoft Exchange and SharePoint Server get a series of patches to fix RCE flaws in the products. Because these servers are often exposed to the Internet, you should think about patching them as soon as possible.

Microsoft Office

Microsoft 365 apps for Enterprise, previously known as Click to Run, get updates for 5 RCE vulnerabilities that are rated important, one security feature bypass fix, and one patch for an information disclosure flaw. This month you should also make users are working with the latest update to the Teams desktop app.

A zero-click remote code execution bug in the Microsoft Teams desktop app could let an attacker execute arbitrary code by sending a specially crafted chat message. The bug wasn’t assigned a CVE number because the Teams app automatically updates. If an attacker exploits the vulnerability, it could give them complete access to private chats, files, private keys, and data outside the Teams app. The bug affects the Teams app on all supported platforms.

Adobe Software

And finally, Adobe issued a security update that fixes an information disclosure flaw in its Acrobat products on Windows and macOS.

And that is it until January 2021!



Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.


Sponsored By