With just 58 updates to deal with this month, the December Patch Tuesday should make for a welcome  light-duty patch-and-test cycle. There were no zero-days or reports of publicly exploited security issues, though there is a critical update to Microsoft Exchange Server that should be a priority. But we saw less pressure on the Windows, browser, and Office updates.

Microsoft has also released two Servicestack Updates (SSUs) for its desktop and server platforms (ADV990001) and an update to the Chromium project (ADV200002).

Our helpful infographic this month looks a little lopsided, as all of the attention should be on the Windows components

Working with Microsoft, we have developed a system that interrogates Microsoft updates and matches any file changes (deltas) each month against our testing library. The result is a “hot-spot” testing matrix that helps drive our portfolio testing. This month, our analysis of this Patch Tuesday release generated the following testing scenarios:

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. I have referenced a few key issues that relate to the latest builds from Microsoft, including:

You can also find Microsoft’s summary of known issues for this release in a single page.

This month, we have three major revisions for documentation reasons released by Microsoft:

For December, Microsoft published a small number of potential workarounds and mitigation strategies that apply to vulnerabilities (CVEs) addressed this month, including:

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

With a single critical update (CVE-2020-17131) and a single moderate patch (CVE-2020-17153) we are definitely seeing a trend here of fewer patches and updates to the Microsoft browser stack. We usually have a long list of browser-based functional areas to highlight, but this month we have just the following:

The Microsoft Edge update (CVE-2020-17131) would generally be a priority due to the potential for a remote-code execution scenario due to memory corruption issues. However, this vulnerability is relatively difficult to exploit and we have not seen any reports of exploits in the wild. Add this very light browser update to your standard update deployment effort.

The final month of Windows updates for 2020 sees only a single critical Windows patch (CVE-2020-17095) and a further 15 updates rated as important. Here are how the patches are dispersed across the following features (or functional groupings)

I think Microsoft must be worried that the Hyper-V vulnerability (CVE-2020-17095) will soon be publicly exploited. To fully compromise a targeted system, all that's required is to run a specially crafted application to create un-validated VSMB packet (network) data. That said, there are a number of updates to the Windows platform that will require some testing, including: GDI, Microsoft Backup, and the Windows Lock Screen component. Referencing the "Key Testing Scenarios" section in this post, I strongly recommend testing application-specific printing features before significant deployment of this Microsoft update.

Add this Windows update to your standard release cycle, with sufficient time for key line-of-business application testing.

This month, Microsoft has distributed two critical updates and nine patches rated as important to the Microsoft Office platform (including Exchange Server and Microsoft Dynamics). They cover the following application or feature groupings:

The real focus this month is on the critical Exchange Server patch (CVE-2020-17132), which attempts to resolve a vulnerability in Exchange Server validating "cmdlet" arguments. Unfortunately, it appears that this is a relatively easy to exploit (low complexity), network-based vulnerability that does not require user interaction to lead to arbitrary code executions on your enterprises' Exchange Servers (this is not a good thing). Unusually for us, we recommend that you make this Exchange update an immediate "Patch Now," call it a "Priority Patch Now," if that helps move things along. Otherwise, add the other Office updates to your standard update release schedule.

There aren't any critical updates released this month for Microsoft development tools. That said, there are four updates to Visual Studio and the Azure SDK rated as important by Microsoft and two further patches for the Azure DevOps server that are also rated as important, shown in the following feature group listing:

All of these reported vulnerabilities are relatively difficult to exploit and it looks as if Microsoft developed and deployed a patch before these issues were exploited in the wild. You don't have to worry about the update to the Azure DevOps environment (Microsoft will take care of the update process), so we recommend adding these developer tool patches to your standard update release schedule.

Microsoft has not released any updates for Adobe products for December. I was wondering if it was going to have another "kill-bit" update as Flash EOL this month. Since Adobe Flash is (soon to be) dead, we can all start worrying about Adobe Reader now. Adobe released a patch for Reader (APSB 20-67) resolving 14 security issues, four of which were rated as critical.

Now, how are we supposed to update Adobe products again?