Patch Tuesday – December 2020
The end of the year has Microsoft patch less vulnerabilities than usual. Nevertheless, there are some important bugs that need to be installed. So, like every month, you should start testing the updates for deployment in your environment as soon as possible.
Windows and Windows Server
This month there’s just one critical vulnerability patched for Windows. An attacker could exploit a remote code execution (RCE) flaw with a specially crafted application on a Hyper-V guest. It could result in the host operating system running arbitrary code when it fails to properly validate vSMB packet data.
The remaining patches consist of 7 elevation of privilege (EoP) flaws rated important, 1 important RCE, and 2 important information disclosure bugs. Microsoft Edge (legacy) also gets a patch for a critical RCE vulnerability.
Microsoft issued a security advisory for the Windows DNS resolver where an attacker could spoof a DNS packet cached by the DNS forwarder or resolver. There’s no patch available now but Microsoft has published a workaround that involves adding a registry value to change the UDP buffer size for DNS and then restarting the DNS service. The workaround could force the DNS resolver to switch to TCP for large responses.
Exchange, SQL, and SharePoint Server
Microsoft Exchange and SharePoint Server get a series of patches to fix RCE flaws in the products. Because these servers are often exposed to the Internet, you should think about patching them as soon as possible.
Microsoft 365 apps for Enterprise, previously known as Click to Run, get updates for 5 RCE vulnerabilities that are rated important, one security feature bypass fix, and one patch for an information disclosure flaw. This month you should also make users are working with the latest update to the Teams desktop app.
A zero-click remote code execution bug in the Microsoft Teams desktop app could let an attacker execute arbitrary code by sending a specially crafted chat message. The bug wasn’t assigned a CVE number because the Teams app automatically updates. If an attacker exploits the vulnerability, it could give them complete access to private chats, files, private keys, and data outside the Teams app. The bug affects the Teams app on all supported platforms.
And finally, Adobe issued a security update that fixes an information disclosure flaw in its Acrobat products on Windows and macOS.
And that is it until January 2021!
More in Windows Client OS
How to Set Up Amazon FSx for Windows File Server
Aug 5, 2022 | Arian Modiramani
Windows Autopilot Deployment: A Step-by-Step Guide
Jul 29, 2022 | Dean Ellerby
How to Fix The "Trust Relationship Between This Workstation And The Primary Domain Failed" Error
Jul 27, 2022 | Michael Reinders
How to Use the Icacls Command to Manage File Permissions
Jul 20, 2022 | Michael Reinders
July Patch Tuesday Updates Fix 84 Vulnerabilities and LDAP Gets TLS 1.3
Jul 13, 2022 | Laurent Giret
How to Fix the "Remote Desktop Connection - An Internal Error Has Occurred" Error
Jul 8, 2022 | Michael Reinders
Most popular on petri