December Patch Tuesday Arrives with 58 Fixes

To end the year, Microsoft has remediated 58 bugs including 9 Critical, 46 Important and 3 Moderate. Microsoft has fixed over 1,200 vulnerabilities to date, more than any other year.

Fixes this month included Microsoft Windows, Edge (Edge HTML-based), Chakra Core, Microsoft Office and Office Services and Web Apps, Exchange Server, Azure DevOps, Microsoft Dynamics, Visual Studio, Azure SDK, and Azure Sphere.

However, there were surprisingly no fixes for Internet Explorer — could there be a last minute out-of-band for December? We will have to wait and see.

There were just shy of half the fixes compared to November, which was a record high of 112 vulnerabilities.

There have also been Windows 7 and Windows Server 2008 (including R2) vulnerabilities for extended support subscribers. Windows 7 and Windows Server 2008 (including R2) both have 9 vulnerabilities: all Important.

Robert Brown, Director of Services for Syxsense said, “We were told there would not be any preview updates this month to reduce the holiday burden on IT departments, but we are surprised not to see any Internet Explorer fixes in here and only 1 for Edge. Stay vigilant as there may be last minute OOB updates before New Year.”

Top December Patches and Vulnerabilities

1. CVE-2020-17132 & CVE-2020-17142: Microsoft Exchange Remote Code Execution Vulnerability

• CVSS Score 9.1 making this one of the top 3 highest vulnerabilities to prioritize this month. No countermeasure is available.
• If a hacker can take over a single mailbox, they can take over the entire Exchange server. These two updates are the highest rated alongside several other fixes for Exchange so this should be your highest priority if you are still using Exchange.
• Affects Exchange 2016 & 2019
• Workaround: None

2. CVE-2020-17158: Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability

• CVSS score of 8.8 making this joint top 2 highest vulnerabilities to prioritize this month, no countermeasure is available
• Exploitation: More Likely
• Attack Complexity: Low
• User Interaction: None

3. CVE-2020-17121: Microsoft SharePoint Remote Code Execution Vulnerability

• CVSS score of 8.8 with no countermeasure
• Exploitation: More Likely
• Affects SharePoint 2010, 2013, 2016 & 2019
• Attack Vector: In a network-based attack an attacker can gain access to create a site and could execute code remotely within the kernel.
• Integrity: There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any / all files at will.

Syxsense Recommendations

Based on the Vendor Severity and CVSS Score, we have made a few recommendations below which you should prioritize this month; please pay close attention to any of these which are Publicly Aware and / or Weaponized.

CVE Reference	Description	Vendor Severity	CVSS Score	Workaround	Publicly Aware	Weaponised	Syxscore Recommended
CVE-2020-17132	Microsoft Exchange Remote Code Execution Vulnerability	Critical	9.1	No	No	No	Yes
CVE-2020-17142	Microsoft Exchange Remote Code Execution Vulnerability	Critical	9.1	No	No	No	Yes
CVE-2020-17152	Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability	Critical	8.8	No	No	No	Yes
CVE-2020-17158	Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability	Critical	8.8	No	No	No	Yes
CVE-2020-17121	Microsoft SharePoint Remote Code Execution Vulnerability	Critical	8.8	No	No	No	Yes
CVE-2020-17143	Microsoft Exchange Information Disclosure Vulnerability	Important	8.8	No	No	No	Yes
CVE-2020-17147	Dynamics CRM Web client Cross-site Scripting Vulnerability	Important	8.7	No	No	No	Yes
CVE-2020-17095	Hyper-V Remote Code Execution Vulnerability	Critical	8.5	No	No	No	Yes
CVE-2020-17141	Microsoft Exchange Remote Code Execution Vulnerability	Important	8.4	No	No	No	Yes
CVE-2020-17144	Microsoft Exchange Remote Code Execution Vulnerability	Important	8.4	No	No	No	Yes
CVE-2020-17118	Microsoft SharePoint Remote Code Execution Vulnerability	Critical	8.1	No	No	No	Yes
CVE-2020-17140	Windows SMB Information Disclosure Vulnerability	Important	8.1	No	No	No	Yes
CVE-2020-17115	Microsoft SharePoint Spoofing Vulnerability	Moderate	8	No	No	No	Yes
CVE-2020-17117	Microsoft Exchange Remote Code Execution Vulnerability	Critical	6.6	No	No	No	Yes
CVE-2020-17131	Chakra Scripting Engine Memory Corruption Vulnerability	Critical	4.2	No	No	No	Yes
CVE-2020-17137	DirectX Graphics Kernel Elevation of Privilege Vulnerability	Important	7.8	No	No	No
CVE-2020-17122	Microsoft Excel Remote Code Execution Vulnerability	Important	7.8	No	No	No
CVE-2020-17123	Microsoft Excel Remote Code Execution Vulnerability	Important	7.8	No	No	No
CVE-2020-17125	Microsoft Excel Remote Code Execution Vulnerability	Important	7.8	No	No	No
CVE-2020-17127	Microsoft Excel Remote Code Execution Vulnerability	Important	7.8	No	No	No
CVE-2020-17128	Microsoft Excel Remote Code Execution Vulnerability	Important	7.8	No	No	No
CVE-2020-17129	Microsoft Excel Remote Code Execution Vulnerability	Important	7.8	No	No	No
CVE-2020-17124	Microsoft PowerPoint Remote Code Execution Vulnerability	Important	7.8	No	No	No
CVE-2020-17159	Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability	Important	7.8	No	No	No
CVE-2020-17150	Visual Studio Code Remote Code Execution Vulnerability	Important	7.8	No	No	No
CVE-2020-17148	Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability	Important	7.8	No	No	No
CVE-2020-17156	Visual Studio Remote Code Execution Vulnerability	Important	7.8	No	No	No
CVE-2020-16958	Windows Backup Engine Elevation of Privilege Vulnerability	Important	7.8	No	No	No
CVE-2020-16959	Windows Backup Engine Elevation of Privilege Vulnerability	Important	7.8	No	No	No
CVE-2020-16960	Windows Backup Engine Elevation of Privilege Vulnerability	Important	7.8	No	No	No
CVE-2020-16961	Windows Backup Engine Elevation of Privilege Vulnerability	Important	7.8	No	No	No
CVE-2020-16962	Windows Backup Engine Elevation of Privilege Vulnerability	Important	7.8	No	No	No
CVE-2020-16963	Windows Backup Engine Elevation of Privilege Vulnerability	Important	7.8	No	No	No
CVE-2020-16964	Windows Backup Engine Elevation of Privilege Vulnerability	Important	7.8	No	No	No
CVE-2020-17134	Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability	Important	7.8	No	No	No
CVE-2020-17136	Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability	Important	7.8	No	No	No
CVE-2020-17092	Windows Network Connections Service Elevation of Privilege Vulnerability	Important	7.8	No	No	No
CVE-2020-17139	Windows Overlay Filter Security Feature Bypass Vulnerability	Important	7.8	No	No	No
CVE-2020-17096	Windows NTFS Remote Code Execution Vulnerability	Important	7.5	No	No	No
CVE-2020-17002	Azure SDK for C Security Feature Bypass Vulnerability	Important	7.4	No	No	No
CVE-2020-17160	Azure Sphere Security Feature Bypass Vulnerability	Important	7.4	No	No	No
CVE-2020-16971	Azure SDK for Java Security Feature Bypass Vulnerability	Moderate	7.4	No	No	No
CVE-2020-17089	Microsoft SharePoint Elevation of Privilege Vulnerability	Important	7.1	No	No	No
CVE-2020-17103	Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability	Important	7	No	No	No
CVE-2020-17099	Windows Lock Screen Security Feature Bypass Vulnerability	Important	6.8	No	No	No
CVE-2020-16996	Kerberos Security Feature Bypass Vulnerability	Important	6.5	No	No	No
CVE-2020-17133	Microsoft Dynamics Business Central/NAV Information Disclosure	Important	6.5	No	No	No
CVE-2020-17130	Microsoft Excel Security Feature Bypass Vulnerability	Important	6.5	No	No	No
CVE-2020-17119	Microsoft Outlook Information Disclosure Vulnerability	Important	6.5	No	No	No
CVE-2020-17135	Azure DevOps Server Spoofing Vulnerability	Important	6.4	No	No	No
CVE-2020-17126	Microsoft Excel Information Disclosure Vulnerability	Important	5.5	No	No	No
CVE-2020-17094	Windows Error Reporting Information Disclosure Vulnerability	Important	5.5	No	No	No
CVE-2020-17138	Windows Error Reporting Information Disclosure Vulnerability	Important	5.5	No	No	No
CVE-2020-17098	Windows GDI+ Information Disclosure Vulnerability	Important	5.5	No	No	No
CVE-2020-17145	Azure DevOps Server and Team Foundation Services Spoofing Vulnerability	Important	5.4	No	No	No
CVE-2020-17120	Microsoft SharePoint Information Disclosure Vulnerability	Important	5.3	No	No	No
CVE-2020-17153	Microsoft Edge for Android Spoofing Vulnerability	Moderate	4.3	No	No	No
CVE-2020-17097	Windows Digital Media Receiver Elevation of Privilege Vulnerability	Important	3.3	No	No	No