December 2020 Patch Tuesday – 58 Vulnerabilities, 9 Critical, Windows Exchange, Hyper-V, SharePoint, Adobe


This month’s Microsoft Patch Tuesday addresses 58 vulnerabilities with 9 of them labeled as Critical. The 9 Critical vulnerabilities cover Exchange, SharePoint, Hyper-V, Chakra Scripting, and several other workstation vulnerabilities. Adobe released patches today for Experience Manager, Prelude, Lightroom and [pre-notification security advisory for Acrobat and Reader](<https://blogs.adobe.com/psirt/?p=1957>). ### Workstation Patches Today’s Patch Tuesday fixes vulnerabilities that would impact workstations. The Office, Edge, Chakra vulnerabilities should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users. ### Microsoft Exchange RCE Microsoft patched five Remote Code Execution vulnerabilities in Exchange ([CVE-2020-17141](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17141>), [](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17142>)[CVE-2020-17142](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17142>), [CVE-2020-17144,](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17144>) [CVE-2020-17117](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17117>), [CVE-2020-17132](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17132>)), which would allow an attacker to run code as system by sending a malicious email. Microsoft does rank them as “Exploitation Less Likely,” but due to the open attack vector, these patches should be prioritized on all Exchange Servers. ### SharePoint RCE Microsoft patched two RCEs ([CVE-2020-17121](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17121>) and [CVE-2020-17118](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17118>)) in SharePoint. [CVE-2020-17121](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17121>) allows an authenticated attacker to gain access to create a site and execute code remotely within the kernel. Because of this, it is highly recommended to prioritize these patches across all SharePoint deployments. ### Hyper-V RCE Microsoft also patched an RCE vulnerability in Hyper-V ([CVE-2020-17095](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17095>)) which allows an attacker to run malicious programs on Hyper-V virtual machine to execute arbitrary code on the host system when it fails to properly validate vSMB packet data. This should be prioritized on all Hyper-V systems. ### Windows NTFS RCE While listed as Important, there is a RCE vulnerability ([CVE-2020-17096](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17096>)) in Microsoft Windows. A local attacker could exploit this vulnerability to elevate the attacker's privileges or a remote attacker with SMBv2 access to affected system could send malicious requests over the network. ### Windows Lock Screen Security Bypass An important vulnerability is patched by Microsoft ([CVE-2020-17099](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17099>)) where an attacker with physical access to the target system could perform actions on a locked system, thereby executing code from Windows lock screen in the context of the active user session. This patch should be prioritized across all Windows devices. ### Adobe Adobe issued patches today covering multiple vulnerabilities in [Adobe Experience Manager](<https://helpx.adobe.com/security/products/experience-manager/apsb20-72.html>), [Lightroom](<https://helpx.adobe.com/security/products/lightroom/apsb20-74.html>), [Prelude](<https://helpx.adobe.com/security/products/reader-mobile/apsb20-71.htmlhttps://helpx.adobe.com/security/products/prelude/apsb20-70.html>) and [Pre-notification Security Advisory for Acrobat and Reader](<https://helpx.adobe.com/security/products/acrobat/apsb20-75.html>). The patches for Experience Manager and Acrobat/Reader are labeled as [Priority 2 ](<https://helpx.adobe.com/security/severity-ratings.html>), while the remaining patches are set to [Priority 3](<https://helpx.adobe.com/security/severity-ratings.html>). While none of the vulnerabilities disclosed in Adobe’s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed. ### About Patch Tuesday Patch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>).