Microsoft has released the last monthly scheduled updates of 2020 this week. The December Patch Tuesday is the second smallest update bundle of the year as Microsoft fixed 58 security flaws only. Whereas, the January 2020 Patch Tuesday was the most compact one addressing only 49 bugs.
Microsoft Addressed 9 Critical Bugs
With December Patch Tuesday, Microsoft has released fixes for 9 different critical severity vulnerabilities across different products. Upon exploitation, all these bugs could lead to remote code execution.
Three of these vulnerabilities (CVE-2020-17132, CVE-2020-17117, and CVE-2020-17142) existed in the Microsoft Exchange Server. While Microsoft confirmed that exploitation required authenticated access. However, it means that hacking an otherwise legit email account could allow an adversary to take over the Exchanger Server.
Similarly, another critical bug (CVE-2020-17095), could allow an adversary to gain elevated privileges from a Hyper-V guest role to execute codes on Hyper-V host via invalid vSMB packet data. The vulnerability has received a CVSS score of 8.5.
Other December Patch Tuesday Fixes
Apart from the critical severity flaws, Microsoft has also released fixes for 46 different important vulnerabilities affecting various products.
Some of these included Windows Backup Engine, Microsoft SharePoint, Microsoft Excel, Microsoft Outlook, PowerPoint, Windows Error Reporting, and Visual Studio Code. Upon exploitation, the vulnerabilities could lead to remote code execution, information disclosure, privilege escalation, and spoofing.
Apart from these, Microsoft fixed three moderate severity bugs in Azure SDK for Java, Microsoft Edge for Android, and Microsoft SharePoint.
For all of these flaws, fortunately, Microsoft has confirmed no public disclosure or exploitation before the patches. It means that the bugs remained under the radar of the threat actors.
However, now that the flaws are disclosed, all users must ensure updating their systems with the latest Windows updates. Also, users of Microsoft Edge browser should ensure updating it on their Android devices to fix the vulnerability (CVE-2020-17153).