I’m so glad you could join us for the last issue of PatchWork for the year of 2020. It’s been an interesting year to say the least, and Microsoft is closing it out on a somewhat lighter note, with only 58 security fixes – a sight less than the 100+ that Microsoft has been dealing with these past few months. Now, that’s not to say that some of these aren’t difficult, particularly a few remote code execution vulnerabilities that we’ll cover shortly, but having less to deal with most likely means less things that can break because of less tampering. So without further ado, let’s get into it!
Exchange Server, Sharepoint Impacted
22 patches are directed toward Remote Code Execution (RCE) vulnerabilities, and the highest profile among these are directed towards patching up Exchange and Sharepoint. These two can suffer from the high-exploit RCEs more easily due to being regularly connected to the Internet – it is recommended to patch these first for that reason. There’s also an advisory from Microsoft on how to minimize a risk of a DNS spoofing weakness found in all Windows Server versions from 2008 all the way out to 2019.
Teams? Yes, even Teams.
Microsoft also addressed a “zero-click” vulnerability in its Teams platform that would let anyone execute code of their choosing, simply by sending a specifically crafted message to a Teams user. It was also a cross-platform bug, meaning it could be used to deliver malicious code to people using Teams on non-Windows devices. This flaw was actually reported to Microsoft at the end of August, but it was actually not assigned a CVE (Common Vulnerabilities and Exposure) code. This is due to Microsoft’s policy of not assigning these codes to any vulnerabilities that can be repaired from Microsoft’s end without user interaction.
Conclusion: Admins, Patch; Users, Sit Tight.
If you’re an admin over an Exchange or a Sharepoint system, you should patch it quickly, but you can hold your users back from updating for a few days until the standard issues that Microsoft usually has with these kinds of updates.
Stay safe in these trying times. While we can’t help with more physical viruses, we can keep you up to speed on what Microsoft is doing to keep you safe from viruses of a virtual kind. So, fellow admins and users alike, until the next episode of PatchWork, in the new year!