Connect with us

Hi, what are you looking for?



Microsoft Patches Critical SharePoint, Exchange Security Holes

Microsoft’s final batch of security patches for 2020 shipped today with fixes for at least 58 documented vulnerabilities affecting a wide range of OS and software products.

Microsoft’s final batch of security patches for 2020 shipped today with fixes for at least 58 documented vulnerabilities affecting a wide range of OS and software products.

The December security updates include fixes for code execution vulnerabilities in the company’s flagship Windows operating system and serious problems in Microsoft Sharepoint, Microsoft Exchange, HyperV, and a Kerberos security feature bypass.

Microsoft slapped a “critical” severity rating on nine of the 58 bulletins, while 46 are rated “important.” None of the documented bugs are under active attack and Microsoft said it was unaware of the availability of public exploit code.

According to Dustin Childs, a researcher who closely tracks security patches for Zero Day Initiative, Windows users should pay special attention to the following bulletins:

  • CVE-2020-17132 — Microsoft Exchange Remote Code Execution Vulnerability — This is one of several Exchange code execution bugs, and it is credited to three different researchers. This implies the bug was somewhat easy to find, and other researchers are likely to find the root cause, too. Microsoft doesn’t provide an attack scenario here but does note that the attacker needs to be authenticated. This indicates that if you take over someone’s mailbox, you can take over the entire Exchange server. With all of the other Exchange bugs, definitely prioritize your Exchange test and deployment.
  • CVE-2020-17121 — Microsoft SharePoint Remote Code Execution Vulnerability — Originally reported through the ZDI program, this patch corrects a bug that could allow an authenticated user to execute arbitrary .NET code on an affected server in the context of the SharePoint Web Application service account. In its default configuration, authenticated SharePoint users are able to create sites that provide all of the necessary permissions that are prerequisites for launching an attack.
  • CVE-2020-17095 — Hyper-V Remote Code Execution Vulnerability — This patch corrects a bug that could allow an attacker to escalate privileges from code execution in a Hyper-V guest to code execution on the Hyper-V host by passing invalid vSMB packet data. It appears that no special permissions are needed on the guest OS to exploit this vulnerability. This bug also has the highest CVSS score (8.5) for the release.
  • CVE-2020-16996 — Kerberos Security Feature Bypass Vulnerability — This patch corrects a security feature bypass (SFB) bug in Kerberos, but thanks to Microsoft’s decision to remove executive summaries and only provide a CVSS score, we don’t know what specific features are being bypassed.

Security researchers are urging enterprise admins to pay special attention to CVE-2020-17096, a remote code execution vulnerability in Windows NTFS, the primary file system for Windows.

“A remote attacker with SMBv2 access to a vulnerable system could send specially crafted requests over a network to exploit this vulnerability and execute code on the target system,” Microsoft warned in its advisory.

Microsoft has also released an advisory to address a spoofing vulnerability affecting the Windows DNS Resolver. The company has made available a workaround that involves making changes in the registry.

In the second half of 2020, Microsoft’s Patch Tuesday updates — excepting October and December — fixed more than 110 vulnerabilities every month. In total, Microsoft patched over 1,200 vulnerabilities this year, far more than the 851 fixed in 2019.

Related: Microsoft Patches Windows Vulnerability Chained in Attacks With Chrome Bug

Advertisement. Scroll to continue reading.

Related: Microsoft Patches Actively Exploited Windows, IE Vulnerabilities

Related: Microsoft Patches Several Publicly Disclosed Windows Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.