Microsoft December month security updates fix SharePoint RCE bugs
Microsoft has published company’s monthly batch of security updates, known as Patch Tuesday with total 58 vulnerability fixes, including the critical remote code execution vulnerabilities in multiple SharePoint versions.
There is smaller number of fixes in December compared with the regular 100+ fixes shipped with each month, all these not less severe.
Over 22 patches of this month are classified as remote access execution RCE vulnerabilities. These vulnerabilities can easily be exploited (through internet or from across a local network) and therefore need to be addressed right away.
RCE vulnerability products for this month include Windows NTFS, Exchange Server, Microsoft Dynamics, Excel, PowerPoint, SharePoint, Visual Studio, and Hyper-V.
The three high rated bugs for this month are RCE bugs impacting Exchange Server (CVE-2020-17143, CVE-2020-17144, CVE-2020-17141, CVE-2020-17117, CVE-2020-17132, and CVE-2020-17142) and SharePoint (CVE-2020-17118 and CVE-2020-17121).
SharePoint pre-auth RCE bug
The highlights for this month security updates, without a doubt, is the two RCE security bugs CVE-2020-17121 and CVE-2020-17118 affecting Microsoft SharePoint.
Attackers exploit CVE-2020-17118 vulnerability by tricking people to open malicious crafted office files. The CVE-2020-17118proof-of-concept exploit code is also available, according to information provided by Microsoft in the security advisory although it is shared privately may likely.
Jonathan Birth, a Senior Security Software Engineer with the Microsoft Office Security Team, discovered this bug, affecting Microsoft SharePoint Server 2019, Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2013 Service Pack 1, and Microsoft SharePoint Foundation 2010 Service Pack 2.
Microsoft says, “The code or technique is not functional in all situations and may require substantial modification by a skilled attacker.”
The Deception 2020 Patch Tuesday addresses the bugs that could allow remote code execution on Windows system running vulnerable click to run and Installer (.msi)-based editions of Microsoft Office products.
The Security updates are delivered through Microsoft update platform and via the Download center.