Maximilian Leire
Maximilian Leire Max started working for Ordina in 2019 as a security consultant, his preferred domains are red teaming and vulnerability management. He is the co-developer of this blog.

Microsoft Security Update December 2020

Microsoft Security Update December 2020

We end 2020 with a slower month, as per usual for December patches. 58 vulnerabilities have been addressed this final month of the year, of which 9 are rated critical and 46 as important. Fortunately, none of them are reported to be publicly known or exploited. This brings the total number of disclosed Microsoft vulnerabilities to 1250 for this year. Let’s have a look at the most notable flaws found and consequently where your priorities for patching should lie. We will be focussing on the CVE’s with the highest CVSS scores which consist of many remote code execution vulnerabilities.

Microsoft Exchange Remote Code Execution Vulnerabilities

All vulnerabilities listed above are remote code execution vulnerabilities found on MS Exchange server.CVE-2020-17132 and CVE-2020-17142 score the highest of all the vulnerabilities announced this month with a CVSS score of 9.1. Luckily, to exploit these flaws, attackers need high privilege access (e.g. administrator access).

CVE-2020-17144 is also notable since it targets Microsoft Exchange Server 2010 which became end-of-life this past October. Good to see Microsoft is still willing to provide a patch for this either way but if you are still running this old version, it’s a good reminder to upgrade as soon as possible. Luckily high privileges are also required here to be able to exploit this vulnerability.

Microsoft Excel, Powerpoint & Sharepoint Remote Code Execution Vulnerabilities

This month, 2 Sharepoint, 1 Powerpoint and 6 Excel remote code execution vulnerabilities have been addressed.

The 2 Sharepoint vulnerabilites (CVE-2020-17121 and CVE-2020-17118) score a very high 8.8 and 8.1 respectively. These should be one of your priorities to patch.

CVE-2020-17121 has a low attack complexity and no user interaction is needed to exploit this flaw. Luckily privileges are still required but as these only have to be for a standard user, you should put this high on your watchlist. CVE-2020-17118 doesn’t require any privileges but does require user interaction, another vulnerability which stresses user awareness within a company.

All Excel vulnerabilities state the preview pane in Windows Explorer is not an attack vector. That means attackers need a user to open the file. Make sure all users in your organization are extra careful when clicking links and opening files until you apply the necessary patch (but of course it doesn’t hurt to be extra careful all the time). Notably Excel for Mac has not yet received an update but there should be one available soon.

For a list of all vulnerabilities that were disclosed this month go here.

If you need any assistance or have any questions regarding cybersecurity within your company, don’t hesitate to contact us.