微软发布12月补丁修复58个安全问题安全威胁通告

发稿时间:2021-11-15 浏览次数:12

综述

微软于周二发布了12月安全更新补丁,修复了58个从简单的欺骗攻击到远程执行代码的安全问题,其中Critical级别漏洞9个,Important 级别漏洞47 个,Moderate级别漏洞2个。强烈建议所有用户尽快安装更新。

受影响产品涉及Azure DevOpsAzure SDKAzure SphereMicrosoft DynamicsMicrosoft EdgeMicrosoft Exchange ServerMicrosoft Graphics ComponentMicrosoft OfficeMicrosoft Office SharePointMicrosoft WindowsMicrosoft Windows DNSVisual StudioWindows Backup EngineWindows Error ReportingWindows Hyper-VWindows Lock ScreenWindows Media以及Windows SMB

Critical & Important漏洞概述

部分 Critical Important 漏洞描述如下:

  • Microsoft Exchange远程代码执行漏洞(CVE-2020-17132CVE-2020-17142

这两个漏洞是由程序对cmdlet参数的验证不正确造成,经过身份验证的攻击者利用该漏洞可在无需用户交互的情况下实现远程代码执行。

官方评级 CriticalCVSS:3.0 9.1/8.2

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17132

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17142

  • Microsoft SharePoint远程代码执行漏洞(CVE-2020-17121

该漏洞允许经过身份验证的攻击者在 SharePoint Web应用程序服务器上执行任意 .NET 代码。在其默认配置中,经过身份验证的SharePoint用户能够创建提供必要权限的站点,而这些权限恰好是发起攻击的先决条件。

官方评级 CriticalCVSS:3.0 8.8/7.7

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17121

  • Hyper-V远程代码执行漏洞(CVE-2020-17095

能够在Hyper-V客户机上执行特制软件的攻击者,通过向Hyper-V宿主机发送vSMB数据包,可能在Hyper-V宿主机上执行任意代码。

官方评级 CriticalCVSS:3.0 8.5/7.4

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17095

  • Microsoft Exchange 2010远程执行代码漏洞(CVE-2020-17144

漏洞由程序对cmdlet参数的验证不正确造成,经过身份验证的攻击者利用该漏洞可实现远程代码执行。

官方评级 ImportantCVSS:3.0 8.4/7.6

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17144

  

  • Windows NTFS远程代码执行漏洞(CVE-2020-17096

利用该漏洞,本地攻击者运行特制的应用程序可实现特权提升。能够通过SMBv2访问脆弱系统的远程攻击者可以通过网络发送特殊设计的请求,利用漏洞在目标系统上执行代码。

官方评级 ImportantCVSS:3.0 7.5/6.5

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17096

  

本次更新概括:

产品

CVE 编号

CVE 标题

严重程度

Microsoft Dynamics

CVE-2020-17152

Microsoft   Dynamics 365 for Finance and Operations (on-premises) 远程代码执行漏洞

Critical

Microsoft   Dynamics

CVE-2020-17158

Microsoft Dynamics 365   for Finance and Operations (on-premises) 远程代码执行漏洞

Critical

Microsoft   Edge

CVE-2020-17131

Chakra   Scripting Engine 内存破坏漏洞

Critical

Microsoft   Exchange Server

CVE-2020-17117

Microsoft Exchange 远程代码执行漏洞

Critical

Microsoft   Exchange Server

CVE-2020-17132

Microsoft   Exchange 远程代码执行漏洞

Critical

Microsoft   Exchange Server

CVE-2020-17142

Microsoft Exchange 远程代码执行漏洞

Critical

Microsoft   Office SharePoint

CVE-2020-17118

Microsoft   SharePoint 远程代码执行漏洞

Critical

Microsoft   Office SharePoint

CVE-2020-17121

Microsoft SharePoint 远程代码执行漏洞

Critical

Windows   Hyper-V

CVE-2020-17095

Hyper-V 远程代码执行漏洞

Critical

Azure DevOps

CVE-2020-17135

Azure DevOps Server 欺骗漏洞

Important

Azure DevOps

CVE-2020-17145

Azure DevOps   Server and Team Foundation Services 欺骗漏洞

Important

Azure SDK

CVE-2020-16971

Azure SDK for Java 安全功能绕过漏洞

Important

Azure SDK

CVE-2020-17002

Azure SDK   for C 安全功能绕过漏洞

Important

Azure Sphere

CVE-2020-17160

Azure Sphere 安全功能绕过漏洞

Important

Microsoft   Dynamics

CVE-2020-17147

Dynamics CRM   Webclient Cross-site Scripting Vulnerability

Important

Microsoft   Dynamics

CVE-2020-17133

Microsoft Dynamics Business   Central/NAV Information Disclosure

Important

Microsoft   Exchange Server

CVE-2020-17141

Microsoft   Exchange 远程代码执行漏洞

Important

Microsoft   Exchange Server

CVE-2020-17143

Microsoft Exchange 信息泄露漏洞

Important

Microsoft   Exchange Server

CVE-2020-17144

Microsoft   Exchange 远程代码执行漏洞

Important

Microsoft   Graphics Component

CVE-2020-17098

Windows GDI+ 信息泄露漏洞

Important

Microsoft   Graphics Component

CVE-2020-17137

DirectX   Graphics Kernel 特权提升漏洞

Important

Microsoft   Office

CVE-2020-17119

Microsoft Outlook 信息泄露漏洞

Important

Microsoft   Office

CVE-2020-17122

Microsoft   Excel 远程代码执行漏洞

Important

Microsoft   Office

CVE-2020-17123

Microsoft Excel 远程代码执行漏洞

Important

Microsoft   Office

CVE-2020-17124

Microsoft   PowerPoint 远程代码执行漏洞

Important

Microsoft   Office

CVE-2020-17125

Microsoft Excel 远程代码执行漏洞

Important

Microsoft   Office

CVE-2020-17126

Microsoft   Excel 信息泄露漏洞

Important

Microsoft   Office

CVE-2020-17127

Microsoft Excel 远程代码执行漏洞

Important

Microsoft   Office

CVE-2020-17128

Microsoft   Excel 远程代码执行漏洞

Important

Microsoft   Office

CVE-2020-17129

Microsoft Excel 远程代码执行漏洞

Important

Microsoft   Office

CVE-2020-17130

Microsoft   Excel 安全功能绕过漏洞

Important

Microsoft   Office SharePoint

CVE-2020-17089

Microsoft SharePoint 特权提升漏洞

Important

Microsoft   Office SharePoint

CVE-2020-17120

Microsoft   SharePoint 信息泄露漏洞

Important

Microsoft   Windows

CVE-2020-17092

Windows Network   Connections Service 特权提升漏洞

Important

Microsoft   Windows

CVE-2020-17103

Windows   Cloud Files Mini Filter Driver 特权提升漏洞

Important

Microsoft   Windows

CVE-2020-17134

Windows Cloud Files   Mini Filter Driver 特权提升漏洞

Important

Microsoft   Windows

CVE-2020-17136

Windows   Cloud Files Mini Filter Driver 特权提升漏洞

Important

Microsoft   Windows

CVE-2020-17138

Windows Error Reporting   信息泄露漏洞

Important

Microsoft   Windows

CVE-2020-17139

Windows   Overlay Filter 安全功能绕过漏洞

Important

Microsoft   Windows

CVE-2020-16996

Kerberos 安全功能绕过漏洞

Important

Microsoft   Windows DNS

ADV200013

Microsoft   Guidance for Addressing 欺骗漏洞 in DNS Resolver

Important

Visual   Studio

CVE-2020-17148

Visual Studio Code   Remote Development Extension 远程代码执行漏洞

Important

Visual   Studio

CVE-2020-17150

Visual   Studio Code 远程代码执行漏洞

Important

Visual   Studio

CVE-2020-17156

Visual Studio 远程代码执行漏洞

Important

Visual   Studio

CVE-2020-17159

Visual   Studio Code Java Extension Pack 远程代码执行漏洞

Important

Windows   Backup Engine

CVE-2020-16958

Windows Backup Engine 特权提升漏洞

Important

Windows   Backup Engine

CVE-2020-16959

Windows   Backup Engine 特权提升漏洞

Important

Windows   Backup Engine

CVE-2020-16960

Windows Backup Engine 特权提升漏洞

Important

Windows   Backup Engine

CVE-2020-16961

Windows   Backup Engine 特权提升漏洞

Important

Windows   Backup Engine

CVE-2020-16962

Windows Backup Engine 特权提升漏洞

Important

Windows   Backup Engine

CVE-2020-16963

Windows   Backup Engine 特权提升漏洞

Important

Windows   Backup Engine

CVE-2020-16964

Windows Backup Engine 特权提升漏洞

Important

Windows   Error Reporting

CVE-2020-17094

Windows   Error Reporting 信息泄露漏洞

Important

Windows Lock   Screen

CVE-2020-17099

Windows Lock Screen 安全功能绕过漏洞

Important

Windows   Media

CVE-2020-17097

Windows   Digital Media Receiver 特权提升漏洞

Important

Windows SMB

CVE-2020-17096

Windows NTFS 远程代码执行漏洞

Important

Windows SMB

CVE-2020-17140

Windows SMB 信息泄露漏洞

Important

Microsoft   Edge

CVE-2020-17153

Microsoft Edge for   Android 欺骗漏洞

Moderate

Microsoft   Office SharePoint

CVE-2020-17115

Microsoft   SharePoint 欺骗漏洞

Moderate