The last Patch Tuesday of the year brings another fresh batch of fixes for Microsoft products and while the number may be lower the patches are no less important.
In the last Patch Tuesday of the year Microsoft has rolled out fixes to no fewer than 58 vulnerabilities across more than ten products including Windows and other Microsoft software.
Nine flaws have received the highest severity rating of “critical”, while 46 received a rating of “important” and three were rated as “moderate”. It is important to note that none of the bugs that were a part of the patch rollout were listed as publicly known or have been under active exploitation at the time of the release.
Per this summary by the SANS Technology Institute, 22 remote-code execution holes have been plugged as part of this month’s bundle of security patches. This includes two critical vulnerabilities in Microsoft SharePoint, CVE-2020-17118 and CVE-2020-17121, where exploitation is seen as more likely by the Redmond tech giant.
While Microsoft didn’t disclose many details about the first vulnerability, they went on to describe a possible attack vector for the second one: “In a network-based attack an attacker can gain access to create a site and could execute code remotely within the kernel. The user would need to have privileges.”
Another RCE vulnerability that merits mentioning resides in Microsoft’s Hyper-V which is used to create virtual machine environments. Tracked as CVE-2020-17095 and holding a score of 8.5 out of 10 on the CVSS scale, the security loophole could be used by a threat actor to compromise Hyper-V virtual machines. “An attacker could run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code when it fails to properly validate vSMB packet data,” said Microsoft.
Security updates were released for a wide range of products, including Windows, multiple versions of the Edge browser, Microsoft Office, Visual Studio, as well as other products and services in Microsoft’s portfolio. Compared to the usual number of patches, this month’s bundle is on the lower end of the spectrum; for example last month’s Patch Tuesday rollout fixed a whopping 112 vulnerabilities.
Both regular users and system administrators would be well advised to apply the patches as soon as practicable.