Today’s VERT Alert addresses Microsoft’s December 2020 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-918 on Wednesday, December 9th.

In-The-Wild & Disclosed CVEs

There are no In-The-Wild or Disclosed CVEs patched this month.

Cloud Native Now

CVE Breakdown by Tag

While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis.

TagCVE CountCVEs
Microsoft Dynamics4CVE-2020-17147, CVE-2020-17152, CVE-2020-17158, CVE-2020-17133
Windows Hyper-V1CVE-2020-17095
Azure Sphere1CVE-2020-17160
Windows Error Reporting1CVE-2020-17094
Microsoft Windows7CVE-2020-17092, CVE-2020-17103, CVE-2020-17134, CVE-2020-17136, CVE-2020-17138, CVE-2020-17139, CVE-2020-16996
Microsoft Edge2CVE-2020-17131, CVE-2020-17153
Windows Media1CVE-2020-17097
Windows Lock Screen1CVE-2020-17099
Azure SDK2CVE-2020-16971, CVE-2020-17002
Visual Studio4CVE-2020-17148, CVE-2020-17150, CVE-2020-17156, CVE-2020-17159
Azure DevOps2CVE-2020-17135, CVE-2020-17145
Microsoft Graphics Component2CVE-2020-17135, CVE-2020-17145
Windows Backup Engine7CVE-2020-16958, CVE-2020-16959, CVE-2020-16960, CVE-2020-16961, CVE-2020-16962, CVE-2020-16963, CVE-2020-16964
Microsoft Exchange Server6CVE-2020-17117, CVE-2020-17132, CVE-2020-17141, CVE-2020-17142, CVE-2020-17143, CVE-2020-17144
Windows SMB2CVE-2020-17096, CVE-2020-17140
Microsoft Office10CVE-2020-17119, CVE-2020-17122, CVE-2020-17123, CVE-2020-17124, CVE-2020-17125, CVE-2020-17126, CVE-2020-17127, CVE-2020-17128, CVE-2020-17129, CVE-2020-17130
Microsoft Office SharePoint5CVE-2020-17089, CVE-2020-17118, CVE-2020-17115, CVE-2020-17120, CVE-2020-17121

Other Information

There was one advisory included with the December security guidance.

Microsoft Guidance for Addressing Spoofing Vulnerability in DNS Resolver [ADV200013]

Microsoft has announced that they are aware of a DNS cache poisoning vulnerability that impacts the Windows DNS Resolver and could allow the caching of spoofed DNS packets. They have released a workaround documented in this advisory.