Patch Tuesday - December 2020

We close off our 2020 year of Patch Tuesdays with 58 vulnerabilities being addressed. While it’s a higher count than our typical December months (high thirties), it’s still a nice breath of fresh air given how the past year has been. We do, however, get to celebrate that none of the reported vulnerabilities covered this month has been publicly exploited nor previously publicly disclosed and only 9 of the 58 vulnerabilities have been marked as Critical by Microsoft.

In terms of actionables, standard procedures can be followed here in terms of how to prioritize which sets of patches to apply first with two exceptions.

Microsoft Office vulnerabilities

A fair amount of remote code executions targeting Microsoft Excel are being patched up today and while none of them have the Preview Pane set as an attack vector, the volume of remote code execution vulnerabilities pertaining to Microsoft Office this month may suggest a slight re-jig of priorities. That’s our first (minor) exception.

The next exception is likely the most notable piece behind this December 2020 Patch Tuesday: Microsoft Exchange Server.

Microsoft Exchange Server vulnerabilities

While there are a total of six vulnerabilities from Microsoft Exchange Server this month, two of them garner a CVSS score of 9.1 (CVE-2020-17132, CVE-2020-17142) and one is noted by Microsoft has having a higher chance of exploitability (CVE-2020-17144). These three warrant an additional examination and may be grounds for prioritizing patching.

There is currently suspicion that CVE-2020-17132 helps address the patch bypass of CVE-2020-16875 (CVSS 8.4) from September 2020. As well, both CVE-2020-17132 and CVE-2020-17142 are remote code execution vulnerabilities occurring due to improper validation of cmdlet arguments that affect all supported (as of writing) versions of Microsoft Exchange. One important note to consider is while these vulnerabilities have received a CVSS score of 9.1 and do not require additional user interaction, an attacker must be in an authenticated role in order to exploit this vulnerability.

In contrast, CVE-2020-17144 which is another remote code execution vulnerability also stemming from improper validation for cmdlet arguments, this one only affects Exchange Server 2010 SP3 and does require additional user interaction to successfully execute. This is extra interesting as Microsoft Exchange Server 2010 passed end of life back on October 22, 2020. The introduction of this post-EOL patch for Microsoft Exchange Server 2010 coupled with Microsoft noting this vulnerability to be more likely exploitable does suggest prioritizing this patch a bit earlier.

New Summary Tables

In an attempt to provide a bit more summarizing tables, here are this month’s patched vulnerabilities split by the product family.

Azure Vulnerabilities

Browser Vulnerabilities

Developer Tools Vulnerabilities

ESU Windows Vulnerabilities

Exchange Server Vulnerabilities

Microsoft Dynamics Vulnerabilities

Microsoft Office Vulnerabilities

Windows Vulnerabilities

Summary Graphs