Patch Tuesday – December 2020

The end of the year has Microsoft patch less vulnerabilities than usual. Nevertheless, there are some important bugs that need to be installed. So, like every month, you should start testing the updates for deployment in your environment as soon as possible.

Windows and Windows Server

This month there’s just one critical vulnerability patched for Windows. An attacker could exploit a remote code execution (RCE) flaw with a specially crafted application on a Hyper-V guest. It could result in the host operating system running arbitrary code when it fails to properly validate vSMB packet data.

The remaining patches consist of 7 elevation of privilege (EoP) flaws rated important, 1 important RCE, and 2 important information disclosure bugs. Microsoft Edge (legacy) also gets a patch for a critical RCE vulnerability.

Microsoft issued a security advisory for the Windows DNS resolver where an attacker could spoof a DNS packet cached by the DNS forwarder or resolver. There’s no patch available now but Microsoft has published a workaround that involves adding a registry value to change the UDP buffer size for DNS and then restarting the DNS service. The workaround could force the DNS resolver to switch to TCP for large responses.

Exchange, SQL, and SharePoint Server

Microsoft Exchange and SharePoint Server get a series of patches to fix RCE flaws in the products. Because these servers are often exposed to the Internet, you should think about patching them as soon as possible.

Microsoft Office

Microsoft 365 apps for Enterprise, previously known as Click to Run, get updates for 5 RCE vulnerabilities that are rated important, one security feature bypass fix, and one patch for an information disclosure flaw. This month you should also make users are working with the latest update to the Teams desktop app.

A zero-click remote code execution bug in the Microsoft Teams desktop app could let an attacker execute arbitrary code by sending a specially crafted chat message. The bug wasn’t assigned a CVE number because the Teams app automatically updates. If an attacker exploits the vulnerability, it could give them complete access to private chats, files, private keys, and data outside the Teams app. The bug affects the Teams app on all supported platforms.

Adobe Software

And finally, Adobe issued a security update that fixes an information disclosure flaw in its Acrobat products on Windows and macOS.

And that is it until January 2021!