Microsoft today released its final Patch Tuesday fixes of the year, addressing 58 CVEs and one advisory. December's rollout brings the company to more than 1,200 CVEs patched in 2020.
The last Patch Tuesday of the year is typically lighter, and this month is no exception. With the exception of January, February, and October, Microsoft patched at least 110 vulnerabilities per month in 2020. While December is smaller, it's worth taking a close look at some of these bugs.
Nine of the 58 vulnerabilities are classified as critical; most are remote code execution (RCE) flaws with one memory corruption vulnerability. Forty-six are considered important, and three are moderate in severity. None are publicly known or are under attack at the time of writing.
The critical RCE vulnerabilities in SharePoint (CVE-2020-17121 and CVE-2020-17118) both require low attack complexity to exploit, Microsoft reports. The former requires an attacker to have low privileges but no user interaction, while the latter requires no privileges but requires user interaction for an attacker to succeed. Both are considered "exploitation more likely."
"This meant Microsoft analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability," says Jerry Gamblin, head of research at Kenna Security. "Moreover, Microsoft is aware of past instances of this type of vulnerability that may have been exploited," meaning security teams should give these two high priority.
CVE-2020-17121, if exploited, could allow an authenticated attacker to execute malicious .NET code on an ..
Support the originator by clicking the read the rest link below.
