Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Security|Windows 10|Windows Client OS

Patch Tuesday – December 2020

The end of the year has Microsoft patch less vulnerabilities than usual. Nevertheless, there are some important bugs that need to be installed. So, like every month, you should start testing the updates for deployment in your environment as soon as possible.

Windows and Windows Server

This month there’s just one critical vulnerability patched for Windows. An attacker could exploit a remote code execution (RCE) flaw with a specially crafted application on a Hyper-V guest. It could result in the host operating system running arbitrary code when it fails to properly validate vSMB packet data.

The remaining patches consist of 7 elevation of privilege (EoP) flaws rated important, 1 important RCE, and 2 important information disclosure bugs. Microsoft Edge (legacy) also gets a patch for a critical RCE vulnerability.

Microsoft issued a security advisory for the Windows DNS resolver where an attacker could spoof a DNS packet cached by the DNS forwarder or resolver. There’s no patch available now but Microsoft has published a workaround that involves adding a registry value to change the UDP buffer size for DNS and then restarting the DNS service. The workaround could force the DNS resolver to switch to TCP for large responses.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

Exchange, SQL, and SharePoint Server

Microsoft Exchange and SharePoint Server get a series of patches to fix RCE flaws in the products. Because these servers are often exposed to the Internet, you should think about patching them as soon as possible.

Microsoft Office

Microsoft 365 apps for Enterprise, previously known as Click to Run, get updates for 5 RCE vulnerabilities that are rated important, one security feature bypass fix, and one patch for an information disclosure flaw. This month you should also make users are working with the latest update to the Teams desktop app.

A zero-click remote code execution bug in the Microsoft Teams desktop app could let an attacker execute arbitrary code by sending a specially crafted chat message. The bug wasn’t assigned a CVE number because the Teams app automatically updates. If an attacker exploits the vulnerability, it could give them complete access to private chats, files, private keys, and data outside the Teams app. The bug affects the Teams app on all supported platforms.

Adobe Software

And finally, Adobe issued a security update that fixes an information disclosure flaw in its Acrobat products on Windows and macOS.

And that is it until January 2021!



Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: