Microsoft has dropped an almost trivially sized update for the final Patch Tuesday of 2020 – in comparison to some of the behemoths seen this year – with fixes for a mere 58 common vulnerabilities and exposures (CVEs), but with nine critical bugs disclosed, security teams should as always pay prompt attention to patching them.
The most important vulnerabilities, none of which appear to be being exploited in the wild by malicious actors, exist in Exchange, SharePoint, Hyper-V, Chakra Scripting, and a small number of other workstation vulnerabilities.
Among them are five remote code execution (RCE) vulnerabilities in Exchange (CVEs 2020-17141, -17142, –17144, -17117 and -17132), which could allow an attacker to run code as system by sending a malicious email, and should be prioritised on all Exchange servers; two RCE’s in SharePoint, (CVEs 2020-17121 and -17118) that could enable an authenticated attacker to gain access to create a site and execute code remotely within the kernel; and one RCE vulnerability in Hyper-V (CVE-2020-17095) that, if exploited, gives the ability to run malicious programs on a Hyper-V virtual machine and execute arbitrary code on the host when it fails to correctly validate vSMB packet data.
“From a priority standpoint, I recommend focusing on the on-premise Exchange servers under your management, then turn towards your SharePoint installations. Then give special attention to any internet-facing systems for the SMBv2 vulnerability, and then get those Hyper-V servers patched. Desktops and Office products can be patched on their regular patch schedule,” said Gil Langston, head security nerd at SolarWinds MSP.
Reflecting on the lighter load for security teams as the year closes out, Langston said: “This is the final Patch Tuesday of 2020, a year full of 100+ vulnerabilities fixed in almost every month. As with many things in December, it is a little quieter. There were roughly half as many vulnerabilities this month, and none that have active attacks or require emergency patching. I am sure that comes as a relief to many of you as things start to wind down for the holidays.
“This year has been one of the highest vulnerability counts I have seen since I started reviewing the patch releases some years ago. This is likely due to the additional attention vulnerabilities have been getting from the increasing amount of research teams that participate in vulnerability research programs like Microsoft’s,” he said.
“This is a good thing, as discovering and patching them early greatly reduces the risk to environments that maintain a good patch schedule. And with the increasing complexity and volume of attacks we have seen this year, defenders need all the help they can get.”
Recorded Future’s Allan Liska agreed: “This has been a busy year for Microsoft vulnerabilities. Prior to December’s Patch Tuesday release, Microsoft had announced 1,198 total vulnerabilities in 2020, an average of almost 109 vulnerabilities per month,” he said.
“Compare this to 800 vulnerabilities disclosed in all of 2019, an average of just over 66 per month. So, if you feel like you have been a lot busier in 2020 managing your vulnerability programme, you are not imagining things.”
Looking back at the bumper crop of vulnerabilities Microsoft disclosed across the entirety of 2020, Liska said there had been a number of highly impactful and well-exploited bugs, many of which remain highly dangerous.
These include CVE-2020-0674, disclosed in February, a memory corruption vulnerability in the Internet Explorer scripting engine; CVE-2020-1472 or Zerologon, first published in August but that sprang to prominence in September as a “near perfect” elevation of privilege vulnerability that is now being exploited by ransomware gangs including Clop and Ryuk; CVE-2020-0796, or GhostSMB, another RCE vulnerability that is wormable and to which many thousands of systems remain at risk; and CVE-2020-1350, an RCE vulnerability in Windows DNS server that is complicated to exploit but is particularly dangerous because it is being used in advanced operations by competent nation-state actors.