December 2020 Patch Tuesday

Welcome to the last Patch Tuesday of 2020! Nine vulnerabilities were rated as “Critical” this month by Microsoft out of the 58 security vulnerabilities total. None of the vulnerabilities were under active exploit prior to patching, nor were they disclosed to the public.

Microsoft Exchange Server

Microsoft Exchange was patched for three vulnerabilities, two of which were Critical and allowed for an authenticated attacker to execute arbitrary code as System on the Exchange Server. The attacks required no user interaction to be exploited. This could then completely compromise the server, as the attacker could create administrative accounts with full rights on the system.

SharePoint Server

Microsoft Sharepoint was also patched for a Critical vulnerability that required user interaction. An unauthenticated attacker could execute arbitrary code within the context of the current user on the client machine. This again is a reminder to always operate under the principles of least privilege.

Hyper-V

Windows 10 and Server 2016/2019 systems received a critical update for Hyper-V that allowed for a user with low privilege levels to execute code remotely on the host as System. This would then completely compromise the host device. Microsoft deems this vulnerability as critically severe but less likely for exploit due to the attack complexity.

Microsoft Edge

Microsoft Edge was patched for a Chakra Scripting Engine vulnerability. Due to improper memory management, an attacker could remotely execute code on the system if they could trick the user to interacting with malicious content. Microsoft rates this vulnerability as Critical but deems that exploitation is less likely due to the complexity of launching the attack.

Microsoft Dynamics

Microsoft Dynamics for Finance and Operations is vulnerable to a low-complexity, remote, unauthenticated attack that results in remote code execution with no user interaction. Because the attack is so simple to pull off, exploitation is more likely in the coming months. Admins should patch as soon as possible to protect against this vulnerability, which is rated as Critical by Microsoft.