Microsoft spread some festive cheer amongst sysadmins this thirty day period with a Patch Tuesday only all around fifty percent as significant as most of its updates this yr, fixing just 58 CVEs.
Of all those, nine have been rated critical, with CVE-2020-17132 singled out by Recorded Future senior security architect Allan Liska as a precedence.
“The vulnerability impacts Microsoft Trade 2013 by way of 2019 and calls for the attacker to be authenticated. Unusually, Microsoft does not incorporate an attack state of affairs in the description other than to say the vulnerability is the end result of inappropriate validation of cmdlet (light-weight instructions utilized in PowerShell) arguments,” he described.
“One product of observe: Microsoft thanked scientists from a few various organizations for reporting this vulnerability, which suggests it is very likely simple to identify and exploit. A fourth researcher claimed CVE-2020-17142, a equivalent vulnerability in Microsoft Trade (affecting cmdlets).”
Liska added that sysadmins should really also prioritize CVE-2020-17117, a further RCE bug in Microsoft Trade which also influences variations 2013-2019.
The other critical disclosures protect SharePoint, Hyper-V, Chakra Scripting and numerous other workstation vulnerabilities.
Liska also pointed to several RCE bugs in Excel which could allow for attackers to execute arbitrary code on a victim’s equipment: CVE-2020-17122, CVE-2020-17123, CVE-2020-17125, CVE-2020-17127, CVE-2020-17128, CVE-2020-17129 and CVE-2020-17130.
“Microsoft lists all of these vulnerabilities as Essential alternatively than Critical, but provided the velocity with which attackers typically weaponize Microsoft Office vulnerabilities, these ought to be prioritized in patching,” he argued.
Microsoft also issued steerage to deal with vulnerabilities in DNS resolver as part of a new advisory, ADV200013.
“The vulnerability is a spoofing vulnerability in DNS resolver that could allow an attacker to exploit a DNS cache poisoning induced by IP fragmentation,” stated Ivanti senior product manager, Todd Schell. “An attacker could spoof the DNS packet which can be cached by the DNS forwarder or the DNS resolver. A workaround for configuring DNS servers is outlined in the advisory.”
Not to be outdone, Adobe fixed 14 vulnerabilities in Adobe Reader this thirty day period, four of which had been critical.
Some components of this posting are sourced from: