Skip to main content

Patch Tuesday delivers critical fixes for Microsoft SharePoint, Exchange

Windows 10
(Image credit: Shutterstock)

Microsoft's last Patch Tuesday of the year has arrived and this month the software giant has included fixes for some of the most serious vulnerabilities it has addressed in the past 12 months.

Compared to November's Patch Tuesday which provided patches for 112 different vulnerabilities in its products, this month's series of fixes from Microsoft addresses 56 vulnerabilities in its software including SharePoint and Exchange. 

According to a blog post from SophosLabs, the software giant has fixed 1,245 bugs this year with an average of more than 100 updates per month over the past year.

While Microsoft has patched half as many vulnerabilities this month as it did in November, nearly 40 percent of the bugs addressed in December's Patch Tuesday can lead to attackers being able to launch malicious code on targeted systems.

Remote code execution

Two of the most important vulnerabilities addressed this month exist in Microsoft SharePoint and Exchange and if exploited, they could lead to remote code execution.

The SharePoint vulnerability, tracked as CVE-2020-17121, is a directory traversal vulnerability that can be triggered when the software processes an attacker's malicious input. An attacker could exploit this vulnerability to cause an unsafe deserialization of malicious input which would lead to remote code execution. However, in order to execute this kind of attack, an attacker would need valid user credentials to target a SharePoint site in order to log into it and create a new Team Site on it.

The Exchange vulnerability, tracked as CVE-2020-17144, is quite serious but poses less risk to end users due to the fact that it only affects the Exchange 2010 mail server (which Microsoft recently stopped supporting) and requires an attacker to have valid account credentials for at least one email user on the affected server. If an attacker does manage to exploit this vulnerability, it would expose the contents of the mailboxes used by all accounts on the Exchange server.

Microsoft's latest series of patches will be rolling out to users soon but you can also check out the complete list to see all 56 vulnerabilities that were addressed as well as their severity level.

Via Sophos News