Today’s VERT Threat Alert addresses Microsoft’s December 2020 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-918 on Wednesday, December 9th.
In-The-Wild & Disclosed CVEs
There are no In-The-Wild or Disclosed CVEs patched this month.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis.
|Microsoft Dynamics||4||CVE-2020-17147, CVE-2020-17152, CVE-2020-17158, CVE-2020-17133|
|Windows Error Reporting||1||CVE-2020-17094|
|Microsoft Windows||7||CVE-2020-17092, CVE-2020-17103, CVE-2020-17134, CVE-2020-17136, CVE-2020-17138, CVE-2020-17139, CVE-2020-16996|
|Microsoft Edge||2||CVE-2020-17131, CVE-2020-17153|
|Windows Lock Screen||1||CVE-2020-17099|
|Azure SDK||2||CVE-2020-16971, CVE-2020-17002|
|Visual Studio||4||CVE-2020-17148, CVE-2020-17150, CVE-2020-17156, CVE-2020-17159|
|Azure DevOps||2||CVE-2020-17135, CVE-2020-17145|
|Microsoft Graphics Component||2||CVE-2020-17135, CVE-2020-17145|
|Windows Backup Engine||7||CVE-2020-16958, CVE-2020-16959, CVE-2020-16960, CVE-2020-16961, CVE-2020-16962, CVE-2020-16963, CVE-2020-16964|
|Microsoft Exchange Server||6||CVE-2020-17117, CVE-2020-17132, CVE-2020-17141, CVE-2020-17142, CVE-2020-17143, CVE-2020-17144|
|Windows SMB||2||CVE-2020-17096, CVE-2020-17140|
|Microsoft Office||10||CVE-2020-17119, CVE-2020-17122, CVE-2020-17123, CVE-2020-17124, CVE-2020-17125, CVE-2020-17126, CVE-2020-17127, CVE-2020-17128, CVE-2020-17129, CVE-2020-17130|
|Microsoft Office SharePoint||5||CVE-2020-17089, CVE-2020-17118, CVE-2020-17115, CVE-2020-17120, CVE-2020-17121|
There was one advisory included with the December security guidance.
Microsoft Guidance for Addressing Spoofing Vulnerability in DNS Resolver [ADV200013]
Microsoft has announced that they are aware of a DNS cache poisoning vulnerability that impacts the Windows DNS Resolver and this threat could allow the caching of spoofed DNS packets. They have released a workaround documented in this advisory.