Hear what Automox Patch Tuesday experts have to say about this month’s Patch Tuesday releases. You can view a full list of the latest patches and updates from Microsoft and other third-party applications in our Patch Tuesday Index.
December Overview
Justin Knapp - General Overview
The first gift of the holiday season comes from Microsoft in the form of the second lightest Patch Tuesday release of the year. December’s total of 58 new vulnerabilities pales in comparison to previous months, bringing 9 critical updates, all of which are remote code execution (RCE) bugs with the only exception being a memory corruption vulnerability. We continue to witness a steady flow of critical RCEs each month that present a great deal of risk when it comes to providing an attack vector that requires no user action. Instead of having to manipulate a user to click a malicious link or attachment, bad actors merely have to target an unpatched system to gain initial access, at which point a number of methods can be employed to increase access to valuable assets. It goes without saying that the speed at which an organization can deploy these fixes will dictate the level of risk they take on. Automating and accelerating the patching process has become a notable competitive advantage for organizations, often freeing up time and resources while reducing unwanted liability.
Nick Colyer - Adobe Updates
Adobe has patched multiple critical vulnerabilities for December across Adobe Experience Manager (APSB20-72), Adobe Lightroom (APSB20-74), Adobe Lightroom (APSB20-75), and Adobe Prelude (APSB20-70). While lighter than usual, the most severe allow for arbitrary code execution including three critical severity CVEs and one less severe (important-rated) flaw identified.
Adobe Prelude, a video logging and ingestion solution was found to have a critical arbitrary code execution issue around an uncontrolled search path affecting Windows and macOS platforms respectively. Adobe Experience Manager, a content management solution was also impacted by a critical arbitrary execution via JavaScript in-browser due to a cross-site scripting flaw discovered. Adobe Lightroom, a photography companion solution was also impacted by an uncontrolled search path vulnerability leading to arbitrary code execution. Adobe Acrobat and Reader were impacted by less severe, nominal impact issues affecting Windows and macOS.
The holidays present unique challenges to security teams’ upcoming out-of-office time and the severity of the vulnerabilities Adobe has addressed are non-trivial against those challenges. It is important to prioritize any major vulnerabilities during holidays to reduce the threat surface exposed to would-be attackers.
Critical Vulnerability Breakdown
Justin Knapp - CVE-2020-17118, -17121
CVE-2020-17118 and 17121 are two critical remote code execution vulnerabilities in SharePoint that provide a low complexity attack vector for bad actors to gain initial access. In a network-based attack scenario, an attacker could successfully exploit the vulnerability to gain access, without any user interaction, to create a site and potentially execute code remotely within the kernel. Given the track record of SharePoint vulnerabilities being exploited long after a patch has been released and considering the higher probability of exploitation, it would be wise for organizations to prioritize these fixes and update immediately.
Jay Goodman - CVE-2020-17095 Critical REC Vulnerability in Hyper-V
Microsoft released an update to address a new remote code execution (RCE) vulnerability that exists within Hyper-V. To exploit this vulnerability, an adversary could run a custom application on a Hyper-V guest that would cause the Hyper-V host operating system to allow arbitrary code execution when it fails to properly validate vSMB packet data. The vulnerability is present on most builds of Windows 10 and Windows Server 2004 and forward. IT operations and system administrators are encouraged to quickly address this critical vulnerability before kicking off for the holiday season. As much of the world relaxes for the holiday season, attackers will not. Early to mid December sees a consistently higher number of attackers than other periods of the year, and given 2020’s pedigree to date it would be foolish to think they would take it easy this year.
Jay Goodman - CVE-2020-17131 Critical Memory Corruption Vulnerability in the Chakra Scripting Engine
CVE-2020-17131 is a critical memory corruption vulnerability identified in the Chakra Scripting Engine. This vulnerability exploits how the scripting engine handles objects in memory and can lead to remote code execution. The Chakra Scripting Engine is widely used in Microsoft Edge. Remote code execution vulnerabilities are particularly sensitive given that they enable attackers to directly run malicious code on the exploited systems. The combination of a common browser with a remote code execution vulnerability should be concerning for system administrators wanting to close out the year knowing their colleagues' inevitable last minute Amazon purchases can be made safely.
Nicholas Colyer - CVE-2020-17152, -17158 RCE in Microsoft Dynamics 365 for Finance and Operations
A remote code execution vulnerability was discovered in the on-premise version of enterprise resource planning tool, Microsoft Dynamics 365 for Finance and Operations. Application authentication is required for exploitation, however details are not available at this time. While there is no proven exploit code public as of writing and the affected version is on-premise, the holiday season presents a unique opportunity for malicious threat actors to leverage reduced air coverage with out-of-office personnel in attacking organizations.
Chris Hass - CVE-2020-17117, -17132, -17142 Microsoft Exchange Remote Code Execution Vulnerability
Multiple remote code execution vulnerabilities are being patched today, some of the most notable were discovered in Microsoft’s Exchange. Microsoft Exchange enables email to be delivered directly to a server rather than storing those emails on individual PCs. It works by sending the emails back to your individual workstations in which your staff can access. As you can imagine, Microsoft Exchange is very commonly used in enterprises and small to medium businesses, and can contain an immense amount of sensitive information. CVE-2020-17132 and CVE-2020-17142 both vulnerabilities are a result of improper validation of cmdlet arguments submitted to the Exchange server. Both also need user interaction to be triggered, and an attacker must be an authenticated user.
To see all the latest details and advice on this month’s Patch Tuesday, check out the Automox Patch Tuesday Rapid Response Center.
About Automox Automated Patch Management
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.
