Microsoft Patches Critical SharePoint, Exchange Security Holes

Microsoft’s final batch of security patches for 2020 shipped today with fixes for at least 58 documented vulnerabilities affecting a wide range of OS and software products.

The December security updates include fixes for code execution vulnerabilities in the company’s flagship Windows operating system and serious problems in Microsoft Sharepoint, Microsoft Exchange, HyperV, and a Kerberos security feature bypass.

Microsoft slapped a “critical” severity rating on nine of the 58 bulletins, while 46 are rated “important.” None of the documented bugs are under active attack and Microsoft said it was unaware of the availability of public exploit code.

According to Dustin Childs, a researcher who closely tracks security patches for Zero Day Initiative, Windows users should pay special attention to the following bulletins:

• CVE-2020-17132 — Microsoft Exchange Remote Code Execution Vulnerability — This is one of several Exchange code execution bugs, and it is credited to three different researchers. This implies the bug was somewhat easy to find, and other researchers are likely to find the root cause, too. Microsoft doesn’t provide an attack scenario here but does note that the attacker needs to be authenticated. This indicates that if you take over someone’s mailbox, you can take over the entire Exchange server. With all of the other Exchange bugs, definitely prioritize your Exchange test and deployment.

• CVE-2020-17121 — Microsoft SharePoint Remote Code Execution Vulnerability — Originally reported through the ZDI program, this patch corrects a bug that could allow an authenticated user to execute arbitrary .NET code on an affected server in the context of the SharePoint Web Application service account. In its default configuration, authenticated SharePoint users are able to create sites that provide all of the necessary permissions that are prerequisites for launching an attack.

• CVE-2020-17095 — Hyper-V Remote Code Execution Vulnerability — This patch corrects a bug that could allow an attacker to escalate privileges from code execution in a Hyper-V guest to code execution on the Hyper-V host by passing invalid vSMB packet data. It appears that no special permissions are needed on the guest OS to exploit this vulnerability. This bug also has the highest CVSS score (8.5) for the release.

• CVE-2020-16996 — Kerberos Security Feature Bypass Vulnerability — This patch corrects a security feature bypass (SFB) bug in Kerberos, but thanks to Microsoft’s decision to remove executive summaries and only provide a CVSS score, we don’t know what specific features are being bypassed.

Security researchers are urging enterprise admins to pay special attention to CVE-2020-17096, a remote code execution vulnerability in Windows NTFS, the primary file system for Windows.

“A remote attacker with SMBv2 access to a vulnerable system could send specially crafted requests over a network to exploit this vulnerability and execute code on the target system,” Microsoft warned in its advisory.

Microsoft has also released an advisory to address a spoofing vulnerability affecting the Windows DNS Resolver. The company has made available a workaround that involves making changes in the registry.

In the second half of 2020, Microsoft’s Patch Tuesday updates — excepting October and December — fixed more than 110 vulnerabilities every month. In total, Microsoft patched over 1,200 vulnerabilities this year, far more than the 851 fixed in 2019.

Related: Microsoft Patches Windows Vulnerability Chained in Attacks With Chrome Bug

Related: Microsoft Patches Actively Exploited Windows, IE Vulnerabilities

Related: Microsoft Patches Several Publicly Disclosed Windows Vulnerabilities