Microsoft on Tuesday released fixes for 58 recently learned security flaws spanning as a lot of as 11 products and solutions and products and services as component of its remaining Patch Tuesday of 2020, successfully bringing their CVE overall to 1,250 for the year.
Of these 58 patches, nine are rated as Critical, 46 are rated as Important, and a few are rated Moderate in severity.
The December security launch addresses issues in Microsoft Windows, Edge browser, ChakraCore, Microsoft Place of work, Trade Server, Azure DevOps, Microsoft Dynamics, Visible Studio, Azure SDK, and Azure Sphere.
The good news is, none of these flaws this thirty day period have been claimed as publicly identified or getting actively exploited in the wild.
The fixes for December worry a quantity of distant code execution (RCE) flaws in Microsoft Trade (CVE-2020-17132), SharePoint (CVE-2020-17118 and CVE-2020-17121), Excel (CVE-2020-17123), and Hyper-V virtualization computer software (CVE-2020-17095), as perfectly as a patch for a security characteristic bypass in Kerberos (CVE-2020-16996), and a quantity of privilege escalation flaws in Windows Backup Engine and Windows Cloud Data files Mini Filter Driver.
CVE-2020-17095 also carries the optimum CVSS score of 8.5 among all vulnerabilities addressed in this month’s release.
“To exploit this vulnerability, an attacker could run a specially crafted application on a Hyper-V visitor that could trigger the Hyper-V host operating technique to execute arbitrary code when it fails to correctly validate vSMB packet details,” Microsoft observed.
Moreover involved as component of this month’s launch is an advisory for a DNS cache poisoning vulnerability (CVE-2020-25705) discovered by security researchers from Tsinghua College and the University of California last month.
Dubbed a Side-channel AttackeD DNS attack (or Unfortunate DNS attack), the flaw could enable an attacker to spoof the DNS packet, which can be cached by the DNS Forwarder or the DNS Resolver, thus re-enabling DNS cache poisoning attacks.
To mitigate the risk, Microsoft suggests a Registry workaround that consists of switching the greatest UDP packet size to 1,221 bytes (4C5 Hexadecimal).
“For responses more substantial than 4C5 or 1221, the DNS resolver would now swap to TCP,” the Windows maker mentioned in its advisory.
Considering that the attack depends on sending spoofed UDP (Person Datagram Protocol) messages to defeat supply port randomization for DNS requests, implementing the tweak will result in greater DNS queries to swap to TCP, thus mitigating the flaw.
It really is very recommended that Windows buyers and technique administrators use the most current security patches to solve the threats associated with these issues.
To set up the newest security updates, Windows people can head to Commence > Settings > Update & Security > Windows Update, or by picking Verify for Windows updates.
Discovered this article fascinating? Stick to THN on Facebook, Twitter and LinkedIn to go through much more exclusive material we write-up.
Some components of this report are sourced from: