December Patch Tuesday 2020 Fixes 58 Vulnerabilities
December Patch Tuesday Arrives with 58 Fixes
To end the year, Microsoft has remediated 58 bugs including 9 Critical, 46 Important and 3 Moderate. Microsoft has fixed over 1,200 vulnerabilities to date, more than any other year.
Fixes this month included Microsoft Windows, Edge (Edge HTML-based), Chakra Core, Microsoft Office and Office Services and Web Apps, Exchange Server, Azure DevOps, Microsoft Dynamics, Visual Studio, Azure SDK, and Azure Sphere.
However, there were surprisingly no fixes for Internet Explorer — could there be a last minute out-of-band for December? We will have to wait and see.
There were just shy of half the fixes compared to November, which was a record high of 112 vulnerabilities.
There have also been Windows 7 and Windows Server 2008 (including R2) vulnerabilities for extended support subscribers. Windows 7 and Windows Server 2008 (including R2) both have 9 vulnerabilities: all Important.
Robert Brown, Director of Services for Syxsense said, “We were told there would not be any preview updates this month to reduce the holiday burden on IT departments, but we are surprised not to see any Internet Explorer fixes in here and only 1 for Edge. Stay vigilant as there may be last minute OOB updates before New Year.”
Top December Patches and Vulnerabilities
1. CVE-2020-17132 & CVE-2020-17142: Microsoft Exchange Remote Code Execution Vulnerability
- CVSS Score 9.1 making this one of the top 3 highest vulnerabilities to prioritize this month. No countermeasure is available.
- If a hacker can take over a single mailbox, they can take over the entire Exchange server. These two updates are the highest rated alongside several other fixes for Exchange so this should be your highest priority if you are still using Exchange.
- Affects Exchange 2016 & 2019
- Workaround: None
2. CVE-2020-17158: Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
- CVSS score of 8.8 making this joint top 2 highest vulnerabilities to prioritize this month, no countermeasure is available
- Exploitation: More Likely
- Attack Complexity: Low
- User Interaction: None
3. CVE-2020-17121: Microsoft SharePoint Remote Code Execution Vulnerability
- CVSS score of 8.8 with no countermeasure
- Exploitation: More Likely
- Affects SharePoint 2010, 2013, 2016 & 2019
- Attack Vector: In a network-based attack an attacker can gain access to create a site and could execute code remotely within the kernel.
- Integrity: There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any / all files at will.
Syxsense Recommendations
Based on the Vendor Severity and CVSS Score, we have made a few recommendations below which you should prioritize this month; please pay close attention to any of these which are Publicly Aware and / or Weaponized.
| CVE Reference | Description | Vendor Severity | CVSS Score | Workaround | Publicly Aware | Weaponised | Syxscore Recommended |
| CVE-2020-17132 | Microsoft Exchange Remote Code Execution Vulnerability | Critical | 9.1 | No | No | No | Yes |
| CVE-2020-17142 | Microsoft Exchange Remote Code Execution Vulnerability | Critical | 9.1 | No | No | No | Yes |
| CVE-2020-17152 | Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability | Critical | 8.8 | No | No | No | Yes |
| CVE-2020-17158 | Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability | Critical | 8.8 | No | No | No | Yes |
| CVE-2020-17121 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical | 8.8 | No | No | No | Yes |
| CVE-2020-17143 | Microsoft Exchange Information Disclosure Vulnerability | Important | 8.8 | No | No | No | Yes |
| CVE-2020-17147 | Dynamics CRM Web client Cross-site Scripting Vulnerability | Important | 8.7 | No | No | No | Yes |
| CVE-2020-17095 | Hyper-V Remote Code Execution Vulnerability | Critical | 8.5 | No | No | No | Yes |
| CVE-2020-17141 | Microsoft Exchange Remote Code Execution Vulnerability | Important | 8.4 | No | No | No | Yes |
| CVE-2020-17144 | Microsoft Exchange Remote Code Execution Vulnerability | Important | 8.4 | No | No | No | Yes |
| CVE-2020-17118 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical | 8.1 | No | No | No | Yes |
| CVE-2020-17140 | Windows SMB Information Disclosure Vulnerability | Important | 8.1 | No | No | No | Yes |
| CVE-2020-17115 | Microsoft SharePoint Spoofing Vulnerability | Moderate | 8 | No | No | No | Yes |
| CVE-2020-17117 | Microsoft Exchange Remote Code Execution Vulnerability | Critical | 6.6 | No | No | No | Yes |
| CVE-2020-17131 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | 4.2 | No | No | No | Yes |
| CVE-2020-17137 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | |
| CVE-2020-17122 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | |
| CVE-2020-17123 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | |
| CVE-2020-17125 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | |
| CVE-2020-17127 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | |
| CVE-2020-17128 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | |
| CVE-2020-17129 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | |
| CVE-2020-17124 | Microsoft PowerPoint Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | |
| CVE-2020-17159 | Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | |
| CVE-2020-17150 | Visual Studio Code Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | |
| CVE-2020-17148 | Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | |
| CVE-2020-17156 | Visual Studio Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | |
| CVE-2020-16958 | Windows Backup Engine Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | |
| CVE-2020-16959 | Windows Backup Engine Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | |
| CVE-2020-16960 | Windows Backup Engine Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | |
| CVE-2020-16961 | Windows Backup Engine Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | |
| CVE-2020-16962 | Windows Backup Engine Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | |
| CVE-2020-16963 | Windows Backup Engine Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | |
| CVE-2020-16964 | Windows Backup Engine Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | |
| CVE-2020-17134 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | |
| CVE-2020-17136 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | |
| CVE-2020-17092 | Windows Network Connections Service Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | |
| CVE-2020-17139 | Windows Overlay Filter Security Feature Bypass Vulnerability | Important | 7.8 | No | No | No | |
| CVE-2020-17096 | Windows NTFS Remote Code Execution Vulnerability | Important | 7.5 | No | No | No | |
| CVE-2020-17002 | Azure SDK for C Security Feature Bypass Vulnerability | Important | 7.4 | No | No | No | |
| CVE-2020-17160 | Azure Sphere Security Feature Bypass Vulnerability | Important | 7.4 | No | No | No | |
| CVE-2020-16971 | Azure SDK for Java Security Feature Bypass Vulnerability | Moderate | 7.4 | No | No | No | |
| CVE-2020-17089 | Microsoft SharePoint Elevation of Privilege Vulnerability | Important | 7.1 | No | No | No | |
| CVE-2020-17103 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important | 7 | No | No | No | |
| CVE-2020-17099 | Windows Lock Screen Security Feature Bypass Vulnerability | Important | 6.8 | No | No | No | |
| CVE-2020-16996 | Kerberos Security Feature Bypass Vulnerability | Important | 6.5 | No | No | No | |
| CVE-2020-17133 | Microsoft Dynamics Business Central/NAV Information Disclosure | Important | 6.5 | No | No | No | |
| CVE-2020-17130 | Microsoft Excel Security Feature Bypass Vulnerability | Important | 6.5 | No | No | No | |
| CVE-2020-17119 | Microsoft Outlook Information Disclosure Vulnerability | Important | 6.5 | No | No | No | |
| CVE-2020-17135 | Azure DevOps Server Spoofing Vulnerability | Important | 6.4 | No | No | No | |
| CVE-2020-17126 | Microsoft Excel Information Disclosure Vulnerability | Important | 5.5 | No | No | No | |
| CVE-2020-17094 | Windows Error Reporting Information Disclosure Vulnerability | Important | 5.5 | No | No | No | |
| CVE-2020-17138 | Windows Error Reporting Information Disclosure Vulnerability | Important | 5.5 | No | No | No | |
| CVE-2020-17098 | Windows GDI+ Information Disclosure Vulnerability | Important | 5.5 | No | No | No | |
| CVE-2020-17145 | Azure DevOps Server and Team Foundation Services Spoofing Vulnerability | Important | 5.4 | No | No | No | |
| CVE-2020-17120 | Microsoft SharePoint Information Disclosure Vulnerability | Important | 5.3 | No | No | No | |
| CVE-2020-17153 | Microsoft Edge for Android Spoofing Vulnerability | Moderate | 4.3 | No | No | No | |
| CVE-2020-17097 | Windows Digital Media Receiver Elevation of Privilege Vulnerability | Important | 3.3 | No | No | No |
Experience the Power of Syxsense
Syxsense is a cloud-based solution that helps organizations manage and secure their endpoints with ease. Automatically deploy OS and third-party patches as well as Windows 10 Feature Updates for Microsoft, Mac, and Linux devices.
