Microsoft Patch Tuesday
fixes 58 flaws
The last Patch Tuesday of the year brings another fresh batch of fixes
for Microsoft products and while the number may be lower the patches are no
less important.
In the last Patch Tuesday of the year Microsoft has rolled out fixes to no fewer than 58 vulnerabilities across more than ten products including Windows and other Microsoft software.
Nine flaws
have received the highest severity rating of
“critical”, while 46 received a rating of
“important” and three were rated as “moderate”. It is
important to note that none of the bugs that were a part of the patch roll out
were listed as publicly known or have been under active exploitation at the
time of the release.
Per this summary by the SANS Technology
Institute, 22 remote-code execution
holes have been plugged as part of this month’s bundle of security patches.
This includes two critical vulnerabilities in Microsoft SharePoint, CVE-2020-17118 and CVE-2020-17121, where exploitation is seen as more likely by the
Redmond tech giant.
While Microsoft didn’t
disclose many details about the first vulnerability, they went on to describe a
possible attack vector for the second one: “In a network-based attack an
attacker can gain access to create a site and could execute code remotely
within the kernel. The user would need to have privileges.”
Another RCE vulnerability
that merits mentioning resides in Microsoft’s Hyper-V which is used to create
virtual machine environments. Tracked as CVE-2020-17095 and holding a score of 8.5 out of 10 on the CVSS scale, the
security loophole could be used by a threat actor to compromise Hyper-V virtual
machines. “An attacker could run a specially crafted application on a Hyper-V
guest that could cause the Hyper-V host operating system to execute arbitrary
code when it fails to properly validate vSMB packet data,” said Microsoft.
Security updates were
released for a wide range of products, including Windows, multiple versions of
the Edge browser, Microsoft Office, Visual Studio, as well as other products
and services in Microsoft’s portfolio. Compared to the usual number of patches, this
month’s bundle is on the lower end of
the spectrum; for example last month’s Patch Tuesday roll
out fixed a whooping 112 vulnerabilities.
Both regular users and
system administrators would be well advised to apply the patches as soon as
practicable.