Microsoft has addressed 58 CVEs (nine of them critical) for its December 2020 Patch Tuesday update. This brings the computing giant’s patch tally to 1,250 for the year – well beyond 2019’s 840.
This month’s security bugs affect Microsoft Windows, Edge (EdgeHTML-based), ChakraCore, Microsoft Office and Office Services and Web Apps, Exchange Server, Azure DevOps, Microsoft Dynamics, Visual Studio, Azure SDK and Azure Sphere, according to the update. None are listed as publicly known or under active attack. Also, no vulnerability was assigned a CVSSv3 severity score of 9.0 or higher.
Critical Bug Breakdown
Three of the critical flaws are found in Microsoft Exchange (CVE-2020-17117, CVE-2020-17132 and CVE-2020-17142), all allowing remote code execution (RCE). One of these occurs due to improper validation of cmdlet arguments, according to Microsoft, which doesn’t provide an attack scenario but does note that the attacker needs be authenticated with privileges.
“This indicates that if you take over someone’s mailbox, you can take over the entire Exchange server,” according to Dustin Childs at Trend Micro’s Zero Day Initiative (ZDI), writing in a Tuesday analysis. “With all of the other Exchange bugs, definitely prioritize your Exchange test and deployment.”
Also on the Exchange front, CVE-2020-17132 addresses a patch bypass for CVE-2020-16875, which was reported and patched in September’s Patch Tuesday release. While not critical, it’s of note, Childs said.
Childs also flagged CVE-2020-17121, one of two critical RCE bugs in Microsoft SharePoint (the other is CVE-2020-17118). Originally reported through ZDI program, the bug could allow an authenticated user to execute arbitrary .NET code on an affected server in the context of the SharePoint Web Application service account.
“In its default configuration, authenticated SharePoint users are able to create sites that provide all of the necessary permissions that are prerequisites for launching an attack,” Childs explained. “Similar bugs patched earlier this year received quite a bit of attention. We suspect this one will, too.”
In fact, the Sharepoint CVEs should take patching priority, Immersive Labs’ Kevin Breen, director of cyberthreat research, said via email. “Both are rated as critical as they have RCE, and Sharepoint can be used like a watering hole inside large organizations by an attacker,” he said. “All it takes is for a few weaponized documents to be placed for malicious code to spread across an organization.”
Another critical bug of note is tracked as CVE-2020-17095, a Hyper-V RCE vulnerability that allows an attacker to escalate privileges from code execution in a Hyper-V guest to code execution on the Hyper-V host by passing invalid vSMB packet data. The flaw carries the highest CVSS score in the update, coming in at 8.5, since no special permissions are needed to exploit it.
“To exploit this vulnerability, an adversary could run a custom application on a Hyper-V guest that would cause the Hyper-V host operating system to allow arbitrary code execution when it fails to properly validate vSMB packet data,” explained Automox researcher Jay Goodman, via email. “The vulnerability is present on most builds of Windows 10 and Windows Server 2004 and forward.”
Two post-authentication RCE flaws in Microsoft Dynamics 365 for Finance and Operations (on-premises) (CVE-2020-17158 and CVE-2020-17152) round out the critical patches, along with a memory-corruption issue in the Chakra Scripting Engine, which impacts the Edge browser (CVE-2020-17131).
“Only one [of the critical-rated updates] (surprisingly) impacts the browser,” Childs said. “That patch corrects a bug within the JIT compiler. By performing actions in JavaScript, an attacker can trigger a memory-corruption condition, which leads to code execution. The lack of browser updates could also be a conscious decision by Microsoft to ensure a bad patch for a browser does not disrupt online shopping during the holiday season.”
Though it’s a lighter than usual month for the volume of patches, the steady flow of critical RCE bugs present a great deal of risk, said Justin Knapp, researcher at Automox, via email.
“Instead of having to manipulate a user to click a malicious link or attachment, bad actors merely have to target an unpatched system to gain initial access, at which point a number of methods can be employed to increase access to valuable assets,” he said, referring to this month’s critical RCE problems. “It goes without saying that the speed at which an organization can deploy these fixes will dictate the level of risk they take on.”
Other Bugs, Patching
In addition to the critical bugs, a full 46 of the bugs are rated as important, and three are rated moderate in severity. The important bugs include 10 Office issues bugs impacting Outlook, PowerPoint and Excel — for these, Office 2019 versions for Mac do not have patches yet.
“This is a book-end to a year that began with Microsoft addressing 49 CVEs in January of 2020, followed by eight consecutive months with over 90 CVEs addressed. In 2020, Microsoft released patches for over 1,200 CVEs,” Satnam Narang, principal research engineer, Tenable, told Threatpost.
Patching may be more difficult than ever going forward. “One of the things that stands out is that Microsoft has removed a lot of the detail they usually share with such advisories,” Breen said. “For me, this could lead to some issues. Patching is not as easy as just clicking an update button and security teams like to gain a deeper understanding of what they are doing. Instead, however, they are expected to operate with less information.”
Elsewhere, Adobe issued patches for flaws tied to one important-rated and three critical-severity CVEs, during its regularly scheduled December security updates.
“While lighter than usual, the most severe allow for arbitrary code execution including three critical severity CVEs and one less severe (important-rated) flaw identified,” Nick Colyer, researcher from Automox said. “The holidays present unique challenges to security teams’ upcoming out-of-office time and the severity of the vulnerabilities Adobe has addressed are non-trivial against those challenges. It is important to prioritize any major vulnerabilities during holidays to reduce the threat surface exposed to would-be attackers.”
Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back.
Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows; Limor Kessem, Executive Security Advisor, IBM Security; and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.
BONUS CONTENT: Download our exclusive FREE Threatpost Insider eBook, Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth.