#MICROSOFT UPDATE PATCH FOR MAC PATCH#
This patch corrects a security feature bypass (SFB) bug in Kerberos, but thanks to Microsoft’s decision to remove executive summaries and only provide a CVSS score, we don’t know what specific features are being bypassed. CVE-2020-16996 - Kerberos Security Feature Bypass Vulnerability However, if Microsoft is wrong about the attack complexity, this could rate as high as 9.9. This bug also has the highest CVSS score (8.5) for the release. It appears that no special permissions are needed on the guest OS to exploit this vulnerability.
#MICROSOFT UPDATE PATCH FOR MAC CODE#
This patch corrects a bug that could allow an attacker to escalate privileges from code execution in a Hyper-V guest to code execution on the Hyper-V host by passing invalid vSMB packet data. CVE-2020-17095 - Hyper-V Remote Code Execution Vulnerability Similar bugs patched earlier this year received quite a bit of attention. In its default configuration, authenticated SharePoint users are able to create sites that provide all of the necessary permissions that are prerequisites for launching an attack. NET code on an affected server in the context of the SharePoint Web Application service account. Originally reported through the ZDI program, this patch corrects a bug that could allow an authenticated user to execute arbitrary. CVE-2020-17121 - Microsoft SharePoint Remote Code Execution Vulnerability With all of the other Exchange bugs, definitely prioritize your Exchange test and deployment. This indicates that if you take over someone’s mailbox, you can take over the entire Exchange server. Microsoft doesn’t provide an attack scenario here but does note that the attacker needs be authenticated. This implies the bug was somewhat easy to find, and other researchers are likely to find the root cause, too. This is one of several Exchange code execution bugs, and it is credited to three different researchers. CVE-2020-17132 - Microsoft Exchange Remote Code Execution Vulnerability
Let’s begin take a closer look at some of the more severe bugs in this release, starting with the bug found by multiple researchers: None of the bugs patched this month are listed as publicly known or under active attack at the time of release. A total of six of these bugs came through the ZDI program. Of these 58 patches, nine are rated as Critical, 46 are rated as Important, and three are rated Moderate in severity. It will be interesting to see if these trends continue in 2021. It also brings their CVE total to 1,250 for the year. December is historically a light month of patches from Microsoft and this remains true for 2020. I fixes a single CVE that could lead to information disclosure.įor December, Microsoft released patches to correct 58 CVEs and one new advisory in Microsoft Windows, Edge (EdgeHTML-based), ChakraCore, Microsoft Office and Office Services and Web Apps, Exchange Server, Azure DevOps, Microsoft Dynamics, Visual Studio, Azure SDK, and Azure Sphere. Update: The update for Acrobat and Reader was released on December 9, 2020. Interestingly, Adobe also noted they will be releasing an update for Acrobat and Reader at some point this week. None of these bugs are listed as publicly known or under active attack at the time of release. The update for Lightroom addresses a Critical-rated uncontrolled search path element vulnerability that could lead to arbitrary code execution. The Experience Manager patch addresses a cross-site scripting (XSS) bug and an information disclosure bug caused by a blind server-side request forgery. The patch for Prelude fixes a Critical-rated uncontrolled search path vulnerability that could lead to remote code execution.
Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.Īdobe kicked off their December patch release with four CVEs fixed with updates for Adobe Prelude, Experience Manager, and Lightroom. December is upon us and with it comes the latest security offerings from Adobe and Microsoft.
0 kommentar(er)
