Related Tips & Info

Patch Tuesday Highlights – December 2020

dvandenbos
OpenText Employee
1 Likes

The last Patch Tuesday of 2020 brought the fewest number of resolved vulnerabilities (58) of the year, with only 9 of those vulnerabilities being rated Critical. Here’s our callout of security updates and issues we think you’ll want to be aware of.

Newsworthy Events

  • Microsoft is not releasing Preview updates in December. They announced this in November through the KB articles for the various updates (for example, KB4586781). Preview updates will resume in January.
  • 2021 is Year 2 of Microsoft’s Extended Security Updates (ESU) program for Windows 7 /Windows Server 2008. If you have purchased the Year 2 program from Microsoft, you can manually download the monthly updates from the Microsoft Update Catalog and use the Custom Patch feature in ZENworks Patch Management to distribute the updates to devices. Or, if you want to receive the updates through the ZENworks Patch Management patch feed, contact your Sales Account Representative or email zen@microfocus.com for details about the add-on subscription.
  • As a reminder, Adobe Flash Player general end-of-life is December 31st. In October, Microsoft released an update (KB4577586) that removes Adobe Flash Player versions installed through Windows, Internet Explorer, and Edge. ZENworks Patch Management includes this update as “Update for Removal of Adobe Flash Player for <Windows Version>” released on October 27, 2020. If you have Adobe Flash Player versions installed by other means, Adobe provides both Windows and Mac removal instructions.
  • Windows 10 1903 reached end of service on December 8. Devices running this operating system no longer receive the monthly security and quality updates that contain protection from the latest security threats.

Quick Take

  • Microsoft released fixes for 58 vulnerabilities. None of the vulnerabilities have public disclosures or known exploits.
  • Servicing Stack Updates this month: Windows 7/Server 2008 R2, Window 10/Windows Server 2004, and Windows 10/Windows Server 20H2.

Windows Server 2019 Updates

  • The cumulative update (KB4592440) resolves 20 new CVEs (1 Critical, 19 Important). None have public disclosures or known exploits.

Windows Server 2016 Updates

  • The cumulative update (KB4593226) resolves 15 new CVEs (1 Critical, 14 Important). None have public disclosures or known exploits.

Windows 10 Updates

  • There is a new Servicing Stack Update (KB4593175) for versions 2004 and 20H2. It is not a prerequisite for December updates.
  • The cumulative update (KB number varies by version) resolves up to 20 CVEs (1 Critical) depending on the version. None have public disclosures or known exploits.

Windows 8.1 / Windows Server 2012 R2 Updates

  • The Security Monthly Quality Rollup (KB4592484) resolves 6 new CVEs (0 Critical, 6 Important). None have public disclosures or known exploits.
  • The Security Only Quality Update (KB4592495) resolves 6 new CVEs (0 Critical, 6 Important). None have public disclosures or known exploits.

Windows Server 2012 Updates

  • The Security Monthly Quality Rollup (KB4592468) resolves 6 new CVEs (0 Critical, 6 Important). None have public disclosures or known exploits.
  • The Security Only Quality Update (KB4592497) resolves 24 new CVEs (0 Critical, 6 Important). None have public disclosures or known exploits.

Windows 7 / Windows Server 2008 R2 Extended Security Updates

  • These updates can only be installed on devices that have an active ESU MAK license.
  • In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.
  • There is a new Servicing Stack Update (KB4592510). It is not a prerequisite for November updates.
  • The Security Monthly Quality Rollup (KB4592471) resolves 9 new CVEs (0 Critical, 9 Important). None have public disclosures or known exploits.
  • The Security Only Quality Update (KB4592503) resolves 9 new CVEs (0 Critical, 9 Important). None have public disclosures or known exploits.

Windows Server 2008 Extended Security Updates

  • These updates can only be installed on devices that have an active ESU MAK license.
  • In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.
  • The Security Monthly Quality Rollup (KB4592498) resolves 1 new CVE (0 Critical, 1 Important). None have public disclosures or known exploits.
  • The Security Only Quality Update (KB4592504) resolves 1 new CVE (0 Critical, 1 Important). None have public disclosures or known exploits.

Microsoft Exchange Server

  • The monthly Security Update resolves 6 CVEs (3 Critical, 3 Important) for Exchange Server 2013 - 2019. None have public disclosures or known exploits.

Microsoft SharePoint Server

  • The monthly Security Updates resolve 6 CVEs (2 Critical, 3 Important, 1 Moderate) across Enterprise Server 2013 & 2016, Foundation Server 2013, and SharePoint Server 2010. None have public disclosures or known exploits.

Microsoft Office 2010–2016 (Windows) and 2016-2019 (Mac)

  • The Security Update resolves up to 10 CVEs (maximum severity is Important) depending on the version. None have public disclosures or known exploits.

Microsoft 365 Apps (formerly Office 365 ProPlus) and Office 2019

  • Each channel update resolves up to 8 CVEs (maximum severity is Important) depending on the version. None have public disclosures or known exploits.

Google Chrome

Mozilla Firefox

  • Firefox 83.3 resolves 22 vulnerabilities (maximum impact is High).
  • Firefox ESR 78.5 resolves 13 vulnerabilities (maximum impact is High).

Mozilla Thunderbird

  • Thunderbird 78.5.0 resolves 12 vulnerabilities (maximum impact is High).
  •  Thunderbird 78.5.1 resolves 1 vulnerability (maximum impact is High).

Labels:

Configuration Management
Patch Management
Comment List
Related
Recommended

Resources

Support
Documentation
Training
CyberRes Academy
Partner Portal
Contact us
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
How To Buy
Careers
Investor Relations
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.