Microsoft December 2020 Patch Tuesday Fixes 58 Vulnerabilities

Microsoft December 2020 Patch Tuesday Fixes 58 Vulnerabilities

Patch Tuesday

Today is Microsoft’s December 2020 Patch Tuesday, and Windows administrators will be scrambling to put out fires, so be kind to them.
With the December 2020 Patch Tuesday security updates release, Microsoft has released fixes for 58 vulnerabilities and one advisory for Microsoft products. Of the 58 vulnerabilities fixed today, nine are classified as Critical, 48 as Important, and two as Moderate. There are no zero-day or previously disclosed vulnerabilities fixed in the December 2020 updates.

For information about the non-security Windows updates, you can read about today’s Windows 10 KB4592449 & KB4592438 cumulative updates.

Guidance on disclosed DNS cache poisoning

Included in today’s Patch Tuesday update is an advisory for a DNS cache poisoning vulnerability discovered by security researchers from Tsinghua University and the University of California.
“Microsoft is aware of a vulnerability involving DNS cache poisoning caused by IP fragmentation that affects Windows DNS Resolver. An attacker who successfully exploited this vulnerability could spoof the DNS packet which can be cached by the DNS For-warder or the DNS Resolver,” Microsoft ADV 200013 explains.

To resolve this vulnerability, administrators can modify the Registry to change the maximum UDP packet size to 1,221 bytes. For DNS requests greater than 1,221 bytes, the DNS resolver will switch to TCP connections.

You can read more about these mitigations in our dedicated ‘Microsoft issues guidance for DNS cache poisoning vulnerability’ article.

Vulnerabilities of interest
While there were no zero-days this month, there were quite a few vulnerabilities that are interesting.
CVE-2020-17095 – Hyper-V Remote Code Execution Vulnerability: Allows malicious programs running in a Hyper-V VM to execute code on the Host.
CVE-2020-17096 – Windows NTFS Remote Code Execution Vulnerability: Can be exploited locally to elevate permissions or remotely via SMBv2 to execute commands.
CVE-2020-17099 – Windows Lock Screen Security Feature Bypass Vulnerability: Allows a local attacker to execute commands from a locked Windows device.

Recent security updates from other companies

Other vendors who released security updates in October include:

• Android’s December security updates were released yesterday
• Apple released security updates for iCloud
• Cisco released security updates for Security Manager vulnerabilities.
• D-Link VPN routers got patched for remote command injection bugs
• QNAP patched QTS vulnerabilities
• SAP released its December 2020 security updates
• VMware released security updates that resolve a zero-day reported by the NSA and see used by Russian state-sponsored hackers

Expera IT May Build Update

Over the next few weeks, Expera will be pushing the May 2020 build update to systems after hours during the Windows Update window to bring systems up to a recent build of Windows 10.