Microsoft has released the December 2020 “Tuesday Patch,” and while it's smaller than what we got used to in the past couple of months, it is still an important security update that squashes highly critical bugs. In numbers, December's patch brings 56 fixes, 22 of which are remote code execution flaws, with ten of them being critical vulnerabilities. Besides, there are also 18 elevation of privilege bugs, six information disclosure issues, and five security feature bypassing flaws, all fixed in this latest patch.
The most important of all, and the one that steals Cisco Talos’ spotlight this month, is a code execution flaw that affects Microsoft Excel. CVE-2020-17123 is a use-after-free vulnerability that exists in Microsoft Office 365 ProPlus, version 2002, build 12527.20988. The bug allows an attacker to use a specially crafted XLS file and trigger a use-after-free condition that could eventually lead to remote code execution.
Another important fix concerns a zero-click flaw in Microsoft Teams, which could enable a hacker to execute code on the target’s machine by merely sending them a specially-crafted chat message over Teams. This vulnerability is even platform-independent, so it can work from any OS to any OS, even on non-Windows systems. The researcher who discovered this flaw revealed that the initial report was made to Microsoft as far back as August 31, 2020, but the software giant didn’t take it very seriously at that time.
A third flaw that Microsoft characterized as “more likely to be exploited” is CVE-2020-17121, which is an RCE again, affecting SharePoint. The exploit begins through a directory traversal that follows a malicious input, causing unsafe deserialization and eventually leading to remote code execution. The prerequisite for the above to happen, though, is for the attacker to have valid user credentials for the target SharePoint site.
As always, backup your data before you apply the update as all kinds of nasty things may happen during this otherwise crucially important procedure. Even if you trust Microsoft’s engineers, a power outage is always a possibility beyond our control. It could occur during the application of the patch, leading to a corrupted OS or even worse. Of course, that shouldn’t be a reason for you to postpone applying the patch but merely a reminder to do it properly.