Microsoft December 2020 Patch Tuesday fixes 58 vulnerabilities

Fixes for 22 remote code execution vulnerabilities included in this month's patches.

microsoft cryptography encryption

Microsoft has published today 58 security fixes across 10+ products and services, as part of the company's monthly batch of security updates, known as Patch Tuesday. 

Windows 10 security: 'So good, it can block zero-days without being patched'

Systems running the Windows 10 Anniversary Update were shielded from two exploits even before Microsoft had issued patches for them, its researchers have found.

Read More

There's a smaller number of fixes this December compared with the regular 100+ fixes that Microsoft ships each month, but this doesn't mean the bugs are less severe.

SEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF) (TechRepublic)

More than a third of this month's patches (22) are classified as remote code execution (RCE) vulnerabilities. These are security bugs that need to be addressed right away as they are more easily exploitable, with no user interaction, either via the internet or from across a local network.

This month, we have RCEs in Microsoft products like Windows NTFS, Exchange Server, Microsoft Dynamics, Excel, PowerPoint, SharePoint, Visual Studio, and Hyper-V.

The highest-rated of these bugs, and the ones most likely to come under exploitation, are the RCE bugs impacting Exchange Server (CVE-2020-17143CVE-2020-17144CVE-2020-17141CVE-2020-17117CVE-2020-17132, and CVE-2020-17142) and SharePoint (CVE-2020-17118 and CVE-2020-17121).

Patching these first is advised, as, through their nature, Exchange and SharePoint systems are regularly connected to the internet and, as a result, are more easily attacked.

Another major bug fixed this month is also a bug in Hyper-V, Microsoft's virtualization technology, used to host virtual machines. Exploitable via a malicious SMB packet, this bug could allow remote attackers to compromise virtualized sandboxed environments, something that Hyper-V was designed to protect.


Below are additional details about today's Microsoft Patch Tuesday and security updates released by other tech companies:

  • Microsoft's official Security Update Guide portal lists all security updates in a filterable table.
  • ZDNet has published this file listing all this month's security advisories on one single page.
  • Adobe's security updates are detailed here.
  • SAP security updates are available here.
  • Intel security updates are available here.
  • VMWare security updates are available here.
  • Chrome 87 security updates are detailed here.
  • Android security updates are available here.
TagCVE IDCVE Title
Microsoft Windows DNS ADV200013 Microsoft Guidance for Addressing Spoofing Vulnerability in DNS Resolver
Azure DevOps CVE-2020-17145 Azure DevOps Server and Team Foundation Services Spoofing Vulnerability
Azure DevOps CVE-2020-17135 Azure DevOps Server Spoofing Vulnerability
Azure SDK CVE-2020-17002 Azure SDK for C Security Feature Bypass Vulnerability
Azure SDK CVE-2020-16971 Azure SDK for Java Security Feature Bypass Vulnerability
Azure Sphere CVE-2020-17160 Azure Sphere Security Feature Bypass Vulnerability
Microsoft Dynamics CVE-2020-17147 Dynamics CRM Webclient Cross-site Scripting Vulnerability
Microsoft Dynamics CVE-2020-17133 Microsoft Dynamics Business Central/NAV Information Disclosure
Microsoft Dynamics CVE-2020-17158 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
Microsoft Dynamics CVE-2020-17152 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
Microsoft Edge CVE-2020-17153 Microsoft Edge for Android Spoofing Vulnerability
Microsoft Edge CVE-2020-17131 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Exchange Server CVE-2020-17143 Microsoft Exchange Information Disclosure Vulnerability
Microsoft Exchange Server CVE-2020-17144 Microsoft Exchange Remote Code Execution Vulnerability
Microsoft Exchange Server CVE-2020-17141 Microsoft Exchange Remote Code Execution Vulnerability
Microsoft Exchange Server CVE-2020-17117 Microsoft Exchange Remote Code Execution Vulnerability
Microsoft Exchange Server CVE-2020-17132 Microsoft Exchange Remote Code Execution Vulnerability
Microsoft Exchange Server CVE-2020-17142 Microsoft Exchange Remote Code Execution Vulnerability
Microsoft Graphics Component CVE-2020-17137 DirectX Graphics Kernel Elevation of Privilege Vulnerability
Microsoft Graphics Component CVE-2020-17098 Windows GDI+ Information Disclosure Vulnerability
Microsoft Office CVE-2020-17130 Microsoft Excel Security Feature Bypass Vulnerability
Microsoft Office CVE-2020-17128 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office CVE-2020-17129 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office CVE-2020-17124 Microsoft PowerPoint Remote Code Execution Vulnerability
Microsoft Office CVE-2020-17123 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office CVE-2020-17119 Microsoft Outlook Information Disclosure Vulnerability
Microsoft Office CVE-2020-17125 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office CVE-2020-17127 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office CVE-2020-17126 Microsoft Excel Information Disclosure Vulnerability
Microsoft Office CVE-2020-17122 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office SharePoint CVE-2020-17115 Microsoft SharePoint Spoofing Vulnerability
Microsoft Office SharePoint CVE-2020-17120 Microsoft SharePoint Information Disclosure Vulnerability
Microsoft Office SharePoint CVE-2020-17121 Microsoft SharePoint Remote Code Execution Vulnerability
Microsoft Office SharePoint CVE-2020-17118 Microsoft SharePoint Remote Code Execution Vulnerability
Microsoft Office SharePoint CVE-2020-17089 Microsoft SharePoint Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-17136 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-16996 Kerberos Security Feature Bypass Vulnerability
Microsoft Windows CVE-2020-17138 Windows Error Reporting Information Disclosure Vulnerability
Microsoft Windows CVE-2020-17092 Windows Network Connections Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-17139 Windows Overlay Filter Security Feature Bypass Vulnerability
Microsoft Windows CVE-2020-17103 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-17134 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Visual Studio CVE-2020-17148 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability
Visual Studio CVE-2020-17159 Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability
Visual Studio CVE-2020-17156 Visual Studio Remote Code Execution Vulnerability
Visual Studio CVE-2020-17150 Visual Studio Code Remote Code Execution Vulnerability
Windows Backup Engine CVE-2020-16960 Windows Backup Engine Elevation of Privilege Vulnerability
Windows Backup Engine CVE-2020-16958 Windows Backup Engine Elevation of Privilege Vulnerability
Windows Backup Engine CVE-2020-16959 Windows Backup Engine Elevation of Privilege Vulnerability
Windows Backup Engine CVE-2020-16961 Windows Backup Engine Elevation of Privilege Vulnerability
Windows Backup Engine CVE-2020-16964 Windows Backup Engine Elevation of Privilege Vulnerability
Windows Backup Engine CVE-2020-16963 Windows Backup Engine Elevation of Privilege Vulnerability
Windows Backup Engine CVE-2020-16962 Windows Backup Engine Elevation of Privilege Vulnerability
Windows Error Reporting CVE-2020-17094 Windows Error Reporting Information Disclosure Vulnerability
Windows Hyper-V CVE-2020-17095 Hyper-V Remote Code Execution Vulnerability
Windows Lock Screen CVE-2020-17099 Windows Lock Screen Security Feature Bypass Vulnerability
Windows Media CVE-2020-17097 Windows Digital Media Receiver Elevation of Privilege Vulnerability
Windows SMB CVE-2020-17096 Windows NTFS Remote Code Execution Vulnerability
Windows SMB CVE-2020-17140 Windows SMB Information Disclosure Vulnerability