Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Patches Critical SharePoint, Exchange Security Holes

Microsoft’s final batch of security patches for 2020 shipped today with fixes for at least 58 documented vulnerabilities affecting a wide range of OS and software products.

Microsoft’s final batch of security patches for 2020 shipped today with fixes for at least 58 documented vulnerabilities affecting a wide range of OS and software products.

The December security updates include fixes for code execution vulnerabilities in the company’s flagship Windows operating system and serious problems in Microsoft Sharepoint, Microsoft Exchange, HyperV, and a Kerberos security feature bypass.

Microsoft slapped a “critical” severity rating on nine of the 58 bulletins, while 46 are rated “important.” None of the documented bugs are under active attack and Microsoft said it was unaware of the availability of public exploit code.

According to Dustin Childs, a researcher who closely tracks security patches for Zero Day Initiative, Windows users should pay special attention to the following bulletins:

  • CVE-2020-17132 — Microsoft Exchange Remote Code Execution Vulnerability — This is one of several Exchange code execution bugs, and it is credited to three different researchers. This implies the bug was somewhat easy to find, and other researchers are likely to find the root cause, too. Microsoft doesn’t provide an attack scenario here but does note that the attacker needs to be authenticated. This indicates that if you take over someone’s mailbox, you can take over the entire Exchange server. With all of the other Exchange bugs, definitely prioritize your Exchange test and deployment.
  • CVE-2020-17121 — Microsoft SharePoint Remote Code Execution Vulnerability — Originally reported through the ZDI program, this patch corrects a bug that could allow an authenticated user to execute arbitrary .NET code on an affected server in the context of the SharePoint Web Application service account. In its default configuration, authenticated SharePoint users are able to create sites that provide all of the necessary permissions that are prerequisites for launching an attack.
  • CVE-2020-17095 — Hyper-V Remote Code Execution Vulnerability — This patch corrects a bug that could allow an attacker to escalate privileges from code execution in a Hyper-V guest to code execution on the Hyper-V host by passing invalid vSMB packet data. It appears that no special permissions are needed on the guest OS to exploit this vulnerability. This bug also has the highest CVSS score (8.5) for the release.
  • CVE-2020-16996 — Kerberos Security Feature Bypass Vulnerability — This patch corrects a security feature bypass (SFB) bug in Kerberos, but thanks to Microsoft’s decision to remove executive summaries and only provide a CVSS score, we don’t know what specific features are being bypassed.

Security researchers are urging enterprise admins to pay special attention to CVE-2020-17096, a remote code execution vulnerability in Windows NTFS, the primary file system for Windows.

“A remote attacker with SMBv2 access to a vulnerable system could send specially crafted requests over a network to exploit this vulnerability and execute code on the target system,” Microsoft warned in its advisory.

Microsoft has also released an advisory to address a spoofing vulnerability affecting the Windows DNS Resolver. The company has made available a workaround that involves making changes in the registry.

In the second half of 2020, Microsoft’s Patch Tuesday updates — excepting October and December — fixed more than 110 vulnerabilities every month. In total, Microsoft patched over 1,200 vulnerabilities this year, far more than the 851 fixed in 2019.

Related: Microsoft Patches Windows Vulnerability Chained in Attacks With Chrome Bug

Related: Microsoft Patches Actively Exploited Windows, IE Vulnerabilities

Related: Microsoft Patches Several Publicly Disclosed Windows Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet