Skip to main content
NewsPatch ManagementPatch Tuesday

December Patch Tuesday 2020 Fixes 58 Vulnerabilities

By December 9, 2020November 10th, 2022No Comments
||

December Patch Tuesday 2020 Fixes 58 Vulnerabilities

December Patch Tuesday has arrived with 58 security gaps remediated, including 22 remote code execution vulnerabilities.

December Patch Tuesday Arrives with 58 Fixes

To end the year, Microsoft has remediated 58 bugs including 9 Critical, 46 Important and 3 Moderate. Microsoft has fixed over 1,200 vulnerabilities to date, more than any other year.

Fixes this month included Microsoft Windows, Edge (Edge HTML-based), Chakra Core, Microsoft Office and Office Services and Web Apps, Exchange Server, Azure DevOps, Microsoft Dynamics, Visual Studio, Azure SDK, and Azure Sphere.

However, there were surprisingly no fixes for Internet Explorer — could there be a last minute out-of-band for December? We will have to wait and see.

There were just shy of half the fixes compared to November, which was a record high of 112 vulnerabilities.

There have also been Windows 7 and Windows Server 2008 (including R2) vulnerabilities for extended support subscribers. Windows 7 and Windows Server 2008 (including R2) both have 9 vulnerabilities: all Important.

Robert Brown, Director of Services for Syxsense said, “We were told there would not be any preview updates this month to reduce the holiday burden on IT departments, but we are surprised not to see any Internet Explorer fixes in here and only 1 for Edge. Stay vigilant as there may be last minute OOB updates before New Year.”

Top December Patches and Vulnerabilities

1. CVE-2020-17132 & CVE-2020-17142: Microsoft Exchange Remote Code Execution Vulnerability

  • CVSS Score 9.1 making this one of the top 3 highest vulnerabilities to prioritize this month. No countermeasure is available.
  • If a hacker can take over a single mailbox, they can take over the entire Exchange server. These two updates are the highest rated alongside several other fixes for Exchange so this should be your highest priority if you are still using Exchange.
  • Affects Exchange 2016 & 2019
  • Workaround: None

2. CVE-2020-17158: Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability

  • CVSS score of 8.8 making this joint top 2 highest vulnerabilities to prioritize this month, no countermeasure is available
  • Exploitation: More Likely
  • Attack Complexity: Low
  • User Interaction: None

3. CVE-2020-17121: Microsoft SharePoint Remote Code Execution Vulnerability

  • CVSS score of 8.8 with no countermeasure
  • Exploitation: More Likely
  • Affects SharePoint 2010, 2013, 2016 & 2019
  • Attack Vector: In a network-based attack an attacker can gain access to create a site and could execute code remotely within the kernel.
  • Integrity: There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any / all files at will.

Syxsense Recommendations

Based on the Vendor Severity and CVSS Score, we have made a few recommendations below which you should prioritize this month; please pay close attention to any of these which are Publicly Aware and / or Weaponized.

CVE Reference Description Vendor Severity CVSS Score Workaround Publicly Aware Weaponised Syxscore Recommended
CVE-2020-17132 Microsoft Exchange Remote Code Execution Vulnerability Critical 9.1 No No No Yes
CVE-2020-17142 Microsoft Exchange Remote Code Execution Vulnerability Critical 9.1 No No No Yes
CVE-2020-17152 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability Critical 8.8 No No No Yes
CVE-2020-17158 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability Critical 8.8 No No No Yes
CVE-2020-17121 Microsoft SharePoint Remote Code Execution Vulnerability Critical 8.8 No No No Yes
CVE-2020-17143 Microsoft Exchange Information Disclosure Vulnerability Important 8.8 No No No Yes
CVE-2020-17147 Dynamics CRM Web client Cross-site Scripting Vulnerability Important 8.7 No No No Yes
CVE-2020-17095 Hyper-V Remote Code Execution Vulnerability Critical 8.5 No No No Yes
CVE-2020-17141 Microsoft Exchange Remote Code Execution Vulnerability Important 8.4 No No No Yes
CVE-2020-17144 Microsoft Exchange Remote Code Execution Vulnerability Important 8.4 No No No Yes
CVE-2020-17118 Microsoft SharePoint Remote Code Execution Vulnerability Critical 8.1 No No No Yes
CVE-2020-17140 Windows SMB Information Disclosure Vulnerability Important 8.1 No No No Yes
CVE-2020-17115 Microsoft SharePoint Spoofing Vulnerability Moderate 8 No No No Yes
CVE-2020-17117 Microsoft Exchange Remote Code Execution Vulnerability Critical 6.6 No No No Yes
CVE-2020-17131 Chakra Scripting Engine Memory Corruption Vulnerability Critical 4.2 No No No Yes
CVE-2020-17137 DirectX Graphics Kernel Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17122 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2020-17123 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2020-17125 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2020-17127 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2020-17128 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2020-17129 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2020-17124 Microsoft PowerPoint Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2020-17159 Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2020-17150 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2020-17148 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2020-17156 Visual Studio Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2020-16958 Windows Backup Engine Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-16959 Windows Backup Engine Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-16960 Windows Backup Engine Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-16961 Windows Backup Engine Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-16962 Windows Backup Engine Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-16963 Windows Backup Engine Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-16964 Windows Backup Engine Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17134 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17136 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17092 Windows Network Connections Service Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17139 Windows Overlay Filter Security Feature Bypass Vulnerability Important 7.8 No No No
CVE-2020-17096 Windows NTFS Remote Code Execution Vulnerability Important 7.5 No No No
CVE-2020-17002 Azure SDK for C Security Feature Bypass Vulnerability Important 7.4 No No No
CVE-2020-17160 Azure Sphere Security Feature Bypass Vulnerability Important 7.4 No No No
CVE-2020-16971 Azure SDK for Java Security Feature Bypass Vulnerability Moderate 7.4 No No No
CVE-2020-17089 Microsoft SharePoint Elevation of Privilege Vulnerability Important 7.1 No No No
CVE-2020-17103 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7 No No No
CVE-2020-17099 Windows Lock Screen Security Feature Bypass Vulnerability Important 6.8 No No No
CVE-2020-16996 Kerberos Security Feature Bypass Vulnerability Important 6.5 No No No
CVE-2020-17133 Microsoft Dynamics Business Central/NAV Information Disclosure Important 6.5 No No No
CVE-2020-17130 Microsoft Excel Security Feature Bypass Vulnerability Important 6.5 No No No
CVE-2020-17119 Microsoft Outlook Information Disclosure Vulnerability Important 6.5 No No No
CVE-2020-17135 Azure DevOps Server Spoofing Vulnerability Important 6.4 No No No
CVE-2020-17126 Microsoft Excel Information Disclosure Vulnerability Important 5.5 No No No
CVE-2020-17094 Windows Error Reporting Information Disclosure Vulnerability Important 5.5 No No No
CVE-2020-17138 Windows Error Reporting Information Disclosure Vulnerability Important 5.5 No No No
CVE-2020-17098 Windows GDI+ Information Disclosure Vulnerability Important 5.5 No No No
CVE-2020-17145 Azure DevOps Server and Team Foundation Services Spoofing Vulnerability Important 5.4 No No No
CVE-2020-17120 Microsoft SharePoint Information Disclosure Vulnerability Important 5.3 No No No
CVE-2020-17153 Microsoft Edge for Android Spoofing Vulnerability Moderate 4.3 No No No
CVE-2020-17097 Windows Digital Media Receiver Elevation of Privilege Vulnerability Important 3.3 No No No

Experience the Power of Syxsense

Syxsense is a cloud-based solution that helps organizations manage and secure their endpoints with ease. Automatically deploy OS and third-party patches as well as Windows 10 Feature Updates for Microsoft, Mac, and Linux devices.

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo

Leave a Reply