Patch Tuesday For December's Patch Tuesday bug bonanza, Microsoft handed out fixes for a mere 58 vulnerabilities while various other orgs addressed shortcomings in their own software in separate, parallel announcements.
On the one hand, vendors glommed to Microsoft's Patch Tuesday on the pretense that users and system administrators could plan their patching around a regular, monthly cadence. On the other hand, it lets developers emit all their bad news at once and ideally avoid headlines specifically about their products – it's all swept up in a single day of "patch this stuff soon" coverage. We'll let you dial up or down your cynicism on this matter as you see fit.
The OpenSSL Project, for example, announced a high severity flaw (CVE-2020-1971) that could be used to crash a server or conduct a denial of service attack. Versions OpenSSL 1.1.1 and 1.0.2 (out of support) are affected by this issue and users are advised to upgrade to 1.1.1i.
CERT-CC and Forescout report 33 memory-related vulnerabilities (four critical) in the TCP/IP stack used for multiple Internet-of-Things device models. Dubbed Amnesia:33, the bugs could allow a remote, unauthenticated attacker to deny service, steal private information, or execute arbitrary code. Millions of IoT devices are said to be affected.
DHS CISA and CyberMDX, a medical device security company, have revealed MDhexRay (CVE-2020-25179), a critical (9.8 severity) flaw in GE Healthcare CT, X-Ray, and MRI imaging systems. The bug allows a remote attacker already inside a healthcare network to connect the devices through maintenance protocols that rely on open ports and use global credentials. If exploited, an attacker could steal data, deny service, or execute arbitrary code.
The issue affects 104 GE devices across these product families: Innova, Optima, Brivo, Definium, Precision, Discovery, Seno, Revolution, Odyssey, PetTrace, Ventri, and Xeleris.
Then there's a currently unfixable Kubernetes clusterf@#$, a traffic interception vulnerability involving load balancers or external IP addresses. In a post on Monday to a Kubernetes mailing list, Apple software engineer Tim Allclair, a member of the Kubernetes Product Security Committee, outlined a medium severity bug (CVE-2020-8554) by which an individual with the ability to create or edit services and pods could intercept traffic from other pods/nodes in the cluster.
"This issue is a design flaw that cannot be mitigated without user-facing changes," wrote Allclair. "With this public announcement, we can begin conversations about a long-term fix."
The Kubernetes flaw was identified by Etienne Champetier of Anevia.
Finally, don't forget Google has emitted a bunch of security fixes for Android, addressing among others a reoccurring problem of remote-code-execution holes in its media processing code, which can be exploited by malicious messages and files to hijack devices. As with all these patches, they should be installed as soon as possible before they are exploited in the wild.
Now back to the main event
Returning to Microsoft, the Windows-and-blue-cloud biz detailed nine Critical, 46 Important, and three Moderate vulnerabilities. Affected products include: Windows, Edge (EdgeHTML), Edge for Android, ChakraCore, Office/Office Services and Web Apps, Exchange Server, Azure DevOps, Dynamics, Visual Studio, Azure SDK, and Azure Sphere.
Among the critical flaws, Exchange proved the winner with three remote code execution (RCE) bugs (CVE-2020-17117, CVE-2020-17132, and CVE-2020-17142). Sharepoint (CVE-2020-17118 and CVE-2020-17121) and Dynamics 365, on-premises, (CVE-2020-17152 and CVE-2020-17158) tied for second place with two apiece. Lagging behind is an RCE in Hyper-V (CVE-2020-17095) and in the Chakra Scripting Engine (CVE-2020-17131).
Zero Day Initiative's Dustin Childs in a blog post said there's no word that any of these Microsoft vulnerabilities are being actively exploited. The December patch dump, he said, has brought Microsoft's bug total for the year to 1,250.
Childs also observed that the Hyper-V vulnerability, through which an attacker can escalate code execution privileges from Hyper-V guest to host sending invalid vSMB packet data, had the highest CVSS score, at 8.8. It could be more like 9.9, he said, if the attack proves simpler to carry out than Microsoft expects.
RedHat published five security advisories affecting OpenStack, Enterprise Linux, and JBoss, though none of real seriousness – two are rated Important and three are considered Moderate.
IBM, meanwhile, dumped 10 security notices on Monday evening, two of them rated High severity: CVE-2020-4430, enabling a Db2 denial of service attack, and CVE-2020-4739, enabling a local attacker to run arbitrary code.
Adobe posted security bulletins for Adobe Prelude (APSB20-70), Adobe Experience Manager (APSB20-72) and Adobe Lightroom (APSB20-74), along with a placeholder notice of soon-to-be-released Acrobat and Reader fixes.
And SAP doled out 11 security advisories, one of which managed a perfect CVSS score of 10. Designated CVE-2020-26829, the flaw is described as a missing authentication check in SAP NetWeaver AS JAVA (P2P Cluster Communication), affecting versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50. Rather than use the term "Critical," SAP has labelled the flaw "Hot News," a moniker bestowed on three other SAP vulnerabilities in the 9.6 to 9.1 severity range. ®