icetray - Fotolia
In a year that saw Microsoft correct an average of 108 vulnerabilities per month, Microsoft gave administrators an early holiday present by delivering fixes for 58 vulnerabilities for December Patch Tuesday.
There were no zero-day or publicly disclosed vulnerabilities this month and, aside from Edge on Android, no corrections for the Internet Explorer or Edge web browsers. Microsoft finished the year with repairs for 1,245 unique vulnerabilities, a sizable increase over the 846 bugs reported in 2019.
Chris Goettl, senior director of product management and security at Ivanti, said administrators should focus their efforts on a critical vulnerability (CVE-2020-17121) for the SharePoint collaboration platform.
"In a network-based attack, the attacker can gain access to create a site and could execute code remotely within the kernel. They would need to have a more privileged level of access, but that's not all that hard to get if they've already gotten on the system to elevate privileges," Goettl said. "There's usually a variety of different ways to do that, so that vulnerability probably puts SharePoint up higher on the list of things that people should take look at this month."
SharePoint has an additional remote-code execution vulnerability (CVE-2020-17118) rated critical that administrators will also want to prioritize.
Microsoft released updates for six vulnerabilities on the Exchange Server messaging platform with a split of three rated critical (CVE-2020-17117, CVE-2020-17132 and CVE-2020-17142) and three rated important (CVE-2020-17141, CVE-2020-17143 and CVE-2020-17144). Due to Microsoft's decision to remove the executive summaries from the CVE listings starting in November, there is no detailed description of the vulnerabilities to assist administrators, such as the most likely exploit methods.
A Hyper-V remote-code execution vulnerability (CVE-2020-17095) is rated critical for supported Window Server and Windows 10 systems.
"To exploit this vulnerability, an attacker could run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code when it fails to properly validate vSMB packet data," Microsoft wrote in the CVE FAQ.
The enterprise resource planning product Dynamics 365 for Finance and Operations has two critical remote-code execution vulnerabilities (CVE-2020-17152 and CVE-2020-17158) with CVSS scores of 8.8 and an exploitability assessment of "more likely" from Microsoft.
No patch but a fix for a DNS cache poisoning vulnerability
Aside from the monthly security fixes for December Patch Tuesday, Microsoft released an advisory (ADV200013) that addresses a spoofing vulnerability rated important in the DNS resolver.
"Microsoft is aware of a vulnerability involving DNS cache poisoning caused by IP fragmentation that affects [the] Windows DNS [r]esolver. An attacker who successfully exploited this vulnerability could spoof the DNS packet which can be cached by the DNS [f]orwarder or the DNS [r]esolver," Microsoft wrote in the advisory's executive summary.
This vulnerability affects all supported Windows Server versions and Windows Server 2008/2008 R2 in the Extended Security Updates program. To remedy the vulnerability, administrators need to edit the registry of vulnerable Windows Server systems to cap the User Datagram Protocol buffer size at 1221. A response larger than 1221 would switch the DNS resolver to the Transmission Control Protocol.
Streamlined servicing stack and cumulative update process unveiled
Microsoft also released servicing stack updates (SSU) for Windows 7/Server 2008 R2, Windows 10 2004/Windows Server, version 2004, and Windows 10 20H2/Windows Server, version 20H2.
On Dec. 8, Microsoft released a blog with an update on the project to streamline the process to deploy both cumulative updates and SSUs. Administrators can choose to keep this separate or combine them using Windows Server Update Services. According to Microsoft, the SSU should be applied before the cumulative update to avoid problems. The option is only available to systems running Windows 10, version 2004 and later that have installed the September 2020 SSU or later SSU versions.
"I think most admins are going to want to do these patches together just because they're such a pain to do separately," Goettl said.
An earlier blog from September hinted at extending this functionality to more Windows OS versions.
Administrators get simplified update process for .NET Core
On Dec. 3, Microsoft announced another option for administrators who want to streamline patch deployment, this time for the .NET Core.
A blog by principal engineering manager Jamshed Damkewala clarified why the company was now providing the .NET Core fixes to Microsoft Update and Windows Server Update Services.
"Until now, we did not deliver .NET Core updates automatically via Microsoft Update. This was because of earlier customer feedback around potentially breaking apps. This feedback was centered around .NET Framework major/minor feature updates (for example going from 4.5 to 4.8) which installed in-place rather than side-by-side with earlier versions," he wrote.
.NET Core is the open-source, cross-platform managed execution environment that is a fork from the .NET Framework, that is part of the Windows OS.
Damkewala further explained that organizations that had approved these automatic updates but wanted to opt out would have to add a registry key to block the patches, such as through a Group Policy object.