Microsoft Patches a Mere 58 Vulnerabilities in December Patch Rollout
Microsoft's December security bundle of software fixes, released Tuesday, addresses just 58 vulnerabilities, about half as much as previous months' totals.
As noted in a blog post by Dustin Childs of Trend Micro's Zero Day Initiative (ZDI), December patch releases from Microsoft typically tend to be on the light side. Until now, monthly releases throughout 2020 had been on the heavy side, with November's bundle addressing 112 vulnerabilities, for instance. Altogether, Childs totaled 1,250 patches from Microsoft for the whole year.
Of December's 58 patches, nine address "Critical"-rated vulnerabilities, while 46 are deemed "Important" and three are considered "Moderate." However, those characterizations come from non-Microsoft security researchers like Childs. None of the vulnerabilities described this month were known beforehand to have been exploited.
For a partial list of affected software, see Microsoft's "Release Notes" document. For IT pros estimating reboots and "known issues" associated with patches, there's this Microsoft "Deployment Information" document. The monthly "Security Update Guide" is Microsoft's mind-numbing catalog of all of the December patches.
There were a couple of Security Advisories accompanying the patch release. Microsoft released its usual compendium of Servicing Stack Updates (SSUs) with its ADV990001 advisory. SSUs typically need to be applied before other updates, but Microsoft has introduced a new approach that lets Windows Server Update Services users and users of the Windows Insider Program for Business to deploy monthly updates (known as "Latest Cumulative Updates") and SSUs together, as described in this announcement.
That new approach "provides a much easier deployment experience for [Windows] 2004 and later branches to merge the LCU [Latest Cumulative Update] and SSU together simplifying the experience that was a bit clunky and painful previously," noted Todd Schell, senior product manager for security at Ivanti.
Also released was Security Advisory ADV200013, describing a Domain Name System (DNS) issue that could enable spoofing of the DNS Forwarder in Windows systems. ADV200013 includes a workaround description.
Microsoft has become less verbal about software vulnerabilities in its security bulletin releases, but outside security researchers nonetheless offered several insights about this month's bundle.
The Critical-rated vulnerabilities this month were found in a lot of Microsoft's application server products, according to Schell:
Of the 9 critical vulnerabilities, 3 affect Microsoft Exchange Server, 2 affect SharePoint and 2 affect Microsoft Dynamics 365. The remaining 2 affect Hyper-V and Chakra Core. The SharePoint vulnerability (CVE-2020-17121) notes that an attacker could gain access to create a site and could execute code remotely within the kernel.
The SharePoint flaw was caught by Trend Micro's ZDI program and enables an authenticated user to conduct attacks.
"In its default configuration, authenticated SharePoint users are able to create sites that provide all of the necessary permissions that are prerequisites for launching an attack," Childs explained.
High Common Vulnerability Scoring System (CVSS) numbers were associated with the Exchange Server vulnerabilities, noted Richard Tsang, a senior software engineer at Rapid7:
While there are a total of six vulnerabilities from Microsoft Exchange Server this month, two of them garner a CVSS score of 9.1 (CVE-2020-17132, CVE-2020-17142) and one is noted by Microsoft has having a higher chance of exploitability (CVE-2020-17144). These three warrant an additional examination and may be grounds for prioritizing patching.
Several researchers found the Exchange Server vulnerability, which implies that it was "somewhat easy to find," according to Childs. An attacker would need to be authenticated, though, he noted.
Tsang noted that CVE-2020-17144 is for Exchange Server 2010 SP3, which "passed end of life back on October 22, 2020." He recommended prioritizing the Exchange patches.
The Hyper-V vulnerability (CVE-2020-17095) enables an attack on the host system from the guest system. It should be prioritized, according to Jay Goodman, manager of product marketing at Automox:
Microsoft released an update to address a new remote code execution (RCE) vulnerability that exists within Hyper-V. To exploit this vulnerability, an adversary could run a custom application on a Hyper-V guest that would cause the Hyper-V host operating system to allow arbitrary code execution when it fails to properly validate vSMB packet data. The vulnerability is present on most builds of Windows 10 and Windows Server 2004 and forward.
Automox published its list of the Microsoft December patches at this page.
New Security Update Guide Approach
Microsoft recently abandoned using basic descriptions in its security bulletins. Instead, readers just get a Common Vulnerability Scoring System number and a boilerplate description. This new approach kicked off in November and was characterized by Microsoft then as being a more succinct approach.
Microsoft's monthly "Security Update Guide" contains links to these whittled-down security bulletins, but the new approach hasn't pared down its December "Guide," which is 817 pages in length.
On Tuesday, the team at the Microsoft Security Response Center noted reader "frustrations" with the removal of the executive summary section of security bulletins in a blog post. In response to feedback, the team plans to add more than just systemically generated boilerplate descriptions in some cases, such as for FAQ content, the post suggested. Microsoft does sees a benefit, though, in limiting descriptions so as to not help potential attackers.
Here's how the blog put it:
These FAQ content examples are a result of your direct feedback. Some are generated systemically for certain common types of vulnerabilities, while others are manually created for particularly unusual CVEs. We feel this strikes a good balance between providing our customers useful and actionable information while not describing the vulnerability in such detail that helps our adversaries build an exploit.
Despite the lack of information in the new version of the Guide, the Microsoft Security Response Center seems upbeat about the changes. They're taking feedback from readers.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.