Security News

Proof-of-concept exploit code and full details on a Windows Kerberos security bypass vulnerability have been published earlier this week by Jake Karnes, the NetSPI security consultant and penetration tester who reported the security bug to Microsoft. The security bug tracked as CVE-2020-17049 and patched by Microsoft during November 2020's Patch Tuesday can be exploited in what the researcher has named as Kerberos Bronze Bit attacks.

A total of 46 vulnerabilities were addressed this week with the release of the December 2020 security updates for Android. A total of 33 flaws are patched as part of the 2020-12-05 security patch level.

SAP this week released eleven security notes as part of its December 2020 Security Patch Day, including four that were rated 'hot news. Featuring a CVSS score of 10, the most important of the notes addresses a missing authentication check vulnerability in SAP NetWeaver AS JAVA. Identified by security researchers at Onapsis, a firm that specializes in securing Oracle and SAP applications, the issue could allow an unauthenticated attacker to perform privileged actions over a TCP connection.

U.S. DHS Cybersecurity and Infrastructure Security Agency has warned admins to upgrade their vulnerable OpenSSL instances immediately. OpenSSL advisory states, one place where the GENERAL NAME cmp function is used is when OpenSSL validates a certificate's CRL distribution point field.

Microsoft today issued its final batch of security updates for Windows PCs in 2020, ending the year with a relatively light patch load. Nine of the 58 security vulnerabilities addressed this month earned Microsoft's most-dire "Critical" label, meaning they can be abused by malware or miscreants to seize remote control over PCs without any help from users. Some of the sub-critical "Important" flaws addressed this month also probably deserve prompt patching in enterprise environments, including a trio of updates tackling security issues with Microsoft Office.

For December's Patch Tuesday bug bonanza, Microsoft handed out fixes for a mere 58 vulnerabilities while various other orgs addressed shortcomings in their own software in separate, parallel announcements. In a post on Monday to a Kubernetes mailing list, Apple software engineer Tim Allclair, a member of the Kubernetes Product Security Committee, outlined a medium severity bug by which an individual with the ability to create or edit services and pods could intercept traffic from other pods/nodes in the cluster.

Microsoft has addressed 58 CVEs for its December 2020 Patch Tuesday update. Also on the Exchange front, CVE-2020-17132 addresses a patch bypass for CVE-2020-16875, which was reported and patched in September's Patch Tuesday release.

As expected, Microsoft fixed a smaller-than-usual number of CVEs on this December 2020 Patch Tuesday: 58 in total. Satnam Narang, staff research engineer at Tenable, pointed out that CVE-2020-17132 addresses a patch bypass for CVE-2020-16875, which was reported and patched in September's Patch Tuesday release.

The OpenSSL Project today warned that the widely deployed TLS/SSL toolkit is vulnerable to a serious security flaw that exposes users to denial-of-service attacks. According to an alert from the open-source group, the problem is caused by a specific function that "Behaves incorrectly" if an attacker successfully triggers certain conditions.

With the December 2020 Patch Tuesday security updates release, Microsoft has released fixes for 58 vulnerabilities and one advisory for Microsoft products. Of the 58 vulnerabilities fixed today, nine are classified as Critical, 48 as Important, and two as Moderate.