Security News

Microsoft today issued its final batch of security updates for Windows PCs in 2020, ending the year with a relatively light patch load. Nine of the 58 security vulnerabilities addressed this month earned Microsoft's most-dire "Critical" label, meaning they can be abused by malware or miscreants to seize remote control over PCs without any help from users. Some of the sub-critical "Important" flaws addressed this month also probably deserve prompt patching in enterprise environments, including a trio of updates tackling security issues with Microsoft Office.

For December's Patch Tuesday bug bonanza, Microsoft handed out fixes for a mere 58 vulnerabilities while various other orgs addressed shortcomings in their own software in separate, parallel announcements. In a post on Monday to a Kubernetes mailing list, Apple software engineer Tim Allclair, a member of the Kubernetes Product Security Committee, outlined a medium severity bug by which an individual with the ability to create or edit services and pods could intercept traffic from other pods/nodes in the cluster.

Microsoft has addressed 58 CVEs for its December 2020 Patch Tuesday update. Also on the Exchange front, CVE-2020-17132 addresses a patch bypass for CVE-2020-16875, which was reported and patched in September's Patch Tuesday release.

As expected, Microsoft fixed a smaller-than-usual number of CVEs on this December 2020 Patch Tuesday: 58 in total. Satnam Narang, staff research engineer at Tenable, pointed out that CVE-2020-17132 addresses a patch bypass for CVE-2020-16875, which was reported and patched in September's Patch Tuesday release.

The OpenSSL Project today warned that the widely deployed TLS/SSL toolkit is vulnerable to a serious security flaw that exposes users to denial-of-service attacks. According to an alert from the open-source group, the problem is caused by a specific function that "Behaves incorrectly" if an attacker successfully triggers certain conditions.

With the December 2020 Patch Tuesday security updates release, Microsoft has released fixes for 58 vulnerabilities and one advisory for Microsoft products. Of the 58 vulnerabilities fixed today, nine are classified as Critical, 48 as Important, and two as Moderate.

A vulnerability in D-link firmware powering multiple routers with VPN passthrough functionality allows attackers to take full control of the device. Reported by Digital Defense's Vulnerability Research Team on August 11, the flaw is a root command injection that can be exploited remotely if the device's "Unified Services Router" web interface is reachable over the public internet.

Open source vulnerabilities go undetected for over four yearsFor its annual State of the Octoverse report, GitHub has analyzed over 45,000 active code directories to provide insight into open source security and developers' practices regarding vulnerability reporting, alerting and remediation. Which security practices lead to best security outcomes?A proactive technology refresh strategy and a well-integrated tech stack are, according to a recent Cisco report, two security practices that are more likely than many others to help organizations achieve goals such as keeping up with business, creating security culture, managing top risks, avoiding major incidents, and so on.

A vulnerability in the Google Play Core Library continues to impact many applications several months after official patches were released. The Google Play Core Library allows Android developers to deliver updates to their applications at runtime, via the Google API, without requiring interaction from the user.

We need to keep in mind that periodic updates are being released for all the applications we use and many of those updates include critical security fixes for vulnerabilities that are being exploited. Very few of us are in a position to instantly update all the systems in our organizations, so we need to prioritize what needs to be updated first, and that should be driven by risk.