⚡ TL;DR | Go Straight to the December 2020 Patch Tuesday Audit Report.
The Microsoft Patch Tuesday Update from December 2020 is a relatively light patch with only 58 fixes, 9 of which are listed as critical. Luckily, none of the vulnerabilities fixed have been actively exploited or even disclosed before today.
The updates this month affect the Windows Operating System, Microsoft Office, Microsoft Exchange Server, SharePoint, Microsoft Dynamics, Azure DevOps, Azure SDK, Azure Sphere, Microsoft Edge, Visual Studio, Chakra Core, Windows Backup Engine, Windows SMB and Windows Hyper-V. Of the 58 vulnerabilities fixed today, 9 are rated as Critical, 46 are classified as Important, and three as moderate.
This update fixes a number of interesting vulnerabilities. Of the nine critical vulnerabilities, three affect Microsoft Exchange Server (CVE-2020-17117, CVE-2020-17132, CVE-2020-17142), two affect Microsoft Dynamics 365 (CVE-2020-17158 & CVE-2020-17152) and two affect SharePoint (CVE-2020-17121, CVE-2020-17118). The remaining two affect Hyper-V (CVE-2020-17095) and Chakra Core (CVE-2020-17131).
DNS cache poisoning
Included in the December 2020 Patch Tuesday update is an additional advisory for a DNS cache poisoning vulnerability. The vulnerability is a spoofing vulnerability in DNS resolver that could allow an attacker to exploit a DNS cache poisoning caused by IP fragmentation. An attacker who exploits this vulnerability could spoof the DNS packet which can be cached by the DNS Resolver or the DNS Forwarder. To fix this vulnerability, system administrators need to modify the Registry to change the maximum UDP packet size to 1,221 bytes. For DNS requests greater than 1,221 bytes, the DNS resolver will switch to TCP connections.
Run the December 2020 Patch Tuesday Audit Report
Just like the previous months, our experts created a Patch Tuesday audit Report that checks if the assets in your network are on the latest patch updates. It's color-coded to give you an easy and quick overview of which assets are already on the latest Windows update, and which ones still need to be patched. As always, all admins are advised to install these security updates as soon as possible to protect Windows from security risks.
If you haven't already, start your free trial of Lansweeper to run the Microsoft Patch Tuesday Report. Make sure to subscribe via the form below if you want to receive the latest Microsoft Patch reports and bonus network reports.