Saturday, May 8, 2021
Technology

Patch Tuesday, Good Riddance 2020 Edition — Krebs on Security – Krebs on Security

107views

As always, if you experience problems or issues installing any of these spots this month, please consider leaving a comment about it below; theres a better-than-even possibility other readers have experienced the exact same and may chime in here with some handy pointers.

The critical bits live in updates for Microsoft Exchange Server, Sharepoint Server, and Windows 10 and Server 2016 systems. Additionally, Microsoft released an advisory on how to minimize the threat from a DNS spoofing weakness in Windows Server 2008 through 2019.

Do yourself a favor and backup before setting up any spots. Windows 10 even has some built-in tools to assist you do that, either on a per-file/folder basis or by making a bootable and total copy of your disk drive simultaneously.

” Given the speed with which assaulters often weaponize Microsoft Office vulnerabilities, these must be prioritized in patching,” said Allan Liska, senior security designer at Recorded Future. “The vulnerabilities, if exploited, would permit an assailant to perform approximate code on a victims device. These vulnerabilities affect Microsoft Excel 2013 through 2019, Microsoft 365 32 and 64 bit variations, Microsoft Office 2019 32 and 64 bit versions, and Microsoft Excel for Mac 2019.”

Mercifully, it does not appear that any of the defects repaired this month are being actively made use of, nor have any them been detailed openly prior to today.

A few of the sub-critical “crucial” defects addressed this month likewise probably should have timely patching in business environments, including a trio of updates dealing with security problems with Microsoft Office.

According to Vegeris, Microsoft addressed the Teams flaw at the end of October. But he said the bug they fixed was the very first of five absolutely no or one-click remote code execution flaws he has actually found and reported in Teams. Reached by means of LinkedIn, Vegeris declined to say whether Microsoft has actually yet addressed the remaining Teams issues.

And if you want to make sure Windows has actually been set to stop briefly updating so you can support your files and/or system prior to the operating system chooses to reboot and set up patches by itself schedule, see this guide.

Its a great concept for Windows users to get in the habit of updating a minimum of once a month, but for regular users (read: not enterprises) its typically safe to wait a couple of days up until after the patches are released, so that Microsoft has time to settle any chinks in the brand-new armor.

But before you update, please make sure you have backed up your system and/or important files. Its not unusual for a Windows upgrade package to tube ones system or prevent it from booting appropriately, and some updates have been understood to eliminate or corrupt files.

Researcher Oskars Vegeris said in a proof-of-concept post to Github that he reported the flaw to Microsoft at the end of August, but that Microsoft didnt assign the bug a Common Vulnerabilities and Exposure (CVE) score due to the fact that it has a policy of refraining from doing so for bugs that can be fixed from Microsofts end without user interaction.

We likewise discovered this week that Redmond quietly dealt with a frightening “zero-click” vulnerability in its Microsoft Teams platform that would have let anyone execute code of their picking just by sending the target a specially-crafted chat message to a Teams users. The bug was cross-platform, implying it could likewise have actually been used to deliver destructive code to people using Teams on non-Windows gadgets.

Independently, Adobe issued security updates for its Prelude, Experience Manager and Lightroom software application. There were no security updates for Adobe Flash Player, which is fitting considering Adobe is sunsetting the program at the end of the year. Microsoft is taking actions to get rid of Flash from its Windows internet browsers, and Google and Firefox currently block Flash by default.

Microsoft today released its last batch of security updates for Windows PCs in 2020, ending the year with a reasonably light patch load. Nine of the 58 security vulnerabilities resolved this month earned Microsofts most-dire “critical” label, implying they can be abused by malware or rascals to seize remote control over PCs with no assistance from users.

Tags: adobe, Allan Liska, Microsoft Office, Microsoft Patch Tuesday December 2020, Microsoft Teams, Oskars Vegeris, Recorded Future

According to Vegeris, Microsoft dealt with the Teams flaw at the end of October. Reached by means of LinkedIn, Vegeris declined to say whether Microsoft has actually yet addressed the remaining Teams issues.

These vulnerabilities affect Microsoft Excel 2013 through 2019, Microsoft 365 32 and 64 bit variations, Microsoft Office 2019 32 and 64 bit versions, and Microsoft Excel for Mac 2019.”

There were no security updates for Adobe Flash Player, which is fitting considering Adobe is sunsetting the program at the end of the year. Microsoft is taking steps to get rid of Flash from its Windows internet browsers, and Google and Firefox currently block Flash by default.

This entry was published on Tuesday, December 8th, 2020 at 6:47 pmand is submitted under Security Tools, Time to Patch.
You can follow any remarks to this entry through the RSS 2.0 feed.

You can skip to the end and leave a comment. Pinging is currently not allowed.

Leave a Response