fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft Office Security Updates Fix Critical SharePoint RCE Bugs

Microsoft Office Security Updates Fix Critical SharePoint RCE Bugs

Microsoft has addressed critical remote code execution vulnerabilities in multiple SharePoint versions with this month’s Office security updates.

In total, this month the company released 23 security updates and 5 cumulative updates for 7 different products, fixing 9 vulnerabilities that could allow attackers to execute arbitrary code remotely on vulnerable systems.

Redmond also issued the December 2020 Patch Tuesday security updates, with security updates for 58 vulnerabilities, nine of them rated as Critical.

Non-security Windows updates were also released with the Windows 10 KB4592449 and KB4592438 cumulative updates.

SharePoint pre-auth remote code execution bug

The highlights of this month’s Microsoft Office security updates are without a doubt the two RCE security bugs affecting Microsoft SharePoint.

While the first one tracked as CVE-2020-17121 requires attackers to have basic user privileges for exploitation, the second one tracked as CVE-2020-17118 can be exploited remotely without authentication.

For successfully exploiting CVE-2020-17118 in low complexity attacks, attackers are also required to trick targets into opening maliciously crafted Office files.

Based on the information provided by Microsoft in the security advisory, CVE-2020-17118 proof-of-concept exploit code is also available (although probably shared privately) —

Also Read: How a Smart Contract Audit Works and Why it is Important

The bug was discovered by Jonathan Birch, a Senior Security Software Engineer with the Microsoft Office Security Team and it affects Microsoft SharePoint Server 2019, Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2013 Service Pack 1, and Microsoft SharePoint Foundation 2010 Service Pack 2.

“The code or technique is not functional in all situations and may require substantial modification by a skilled attacker,” Microsoft explains.

Microsoft Office security issues addressed in this month

Security updates published as part of the December 2020 Patch Tuesday address bugs that could allow remote code execution (RCE) on Windows systems running vulnerable Click to Run and Microsoft Installer (.msi)-based editions of Microsoft Office products.

The 9 RCE bugs patched this month are rated by Microsoft as Critical or Important severity issues as they may allow attackers to execute arbitrary code in the context of the current user after successful exploitation.

The attackers could then install malicious programs, view, change, and delete data, as well as create rogue admin accounts on the compromised Windows devices.

TagCVE IDTitleSeverity
Microsoft OfficeCVE-2020-17130Microsoft Excel Security Feature Bypass VulnerabilityImportant
Microsoft OfficeCVE-2020-17128Microsoft Excel Remote Code Execution VulnerabilityImportant
Microsoft OfficeCVE-2020-17129Microsoft Excel Remote Code Execution VulnerabilityImportant
Microsoft OfficeCVE-2020-17124Microsoft PowerPoint Remote Code Execution VulnerabilityImportant
Microsoft OfficeCVE-2020-17123Microsoft Excel Remote Code Execution VulnerabilityImportant
Microsoft OfficeCVE-2020-17119Microsoft Outlook Information Disclosure VulnerabilityImportant
Microsoft OfficeCVE-2020-17125Microsoft Excel Remote Code Execution VulnerabilityImportant
Microsoft OfficeCVE-2020-17127Microsoft Excel Remote Code Execution VulnerabilityImportant
Microsoft OfficeCVE-2020-17126Microsoft Excel Information Disclosure VulnerabilityImportant
Microsoft OfficeCVE-2020-17122Microsoft Excel Remote Code Execution VulnerabilityImportant
Microsoft Office SharePointCVE-2020-17115Microsoft SharePoint Spoofing VulnerabilityModerate
Microsoft Office SharePointCVE-2020-17120Microsoft SharePoint Information Disclosure VulnerabilityImportant
Microsoft Office SharePointCVE-2020-17121Microsoft SharePoint Remote Code Execution VulnerabilityCritical
Microsoft Office SharePointCVE-2020-17118Microsoft SharePoint Remote Code Execution VulnerabilityCritical
Microsoft Office SharePointCVE-2020-17089Microsoft SharePoint Elevation of Privilege VulnerabilityImportant

December 2020 Microsoft Office security updates

Microsoft Office security updates are delivered through the Microsoft Update platform and via the Download Center.

More details about each of them including CVE IDs are available within the knowledge base articles linked below.

To download the December 2020 Microsoft Office security updates, click on the corresponding knowledge base article below and then scroll down to the ‘How to download and install the update‘ section.

Also Read: Data Centre Regulations Singapore: Does It Help To Progress?

Microsoft Office 2016

ProductKnowledge Base article title and number
Excel 2016Security update for Excel 2016 (KB4486754)
Office 2016Security update for Office 2016 (KB4486757)
Outlook 2016Security update for Outlook 2016 (KB4486748)
PowerPoint 2016Security update for PowerPoint 2016 (KB4484393)

Microsoft Office 2013

ProductKnowledge Base article title and number
Excel 2013Security update for Excel 2013 (KB4493139)
Office 2013Security update for Outlook 2013 (KB4486732)
PowerPoint 2013Security update for PowerPoint 2013 (KB4484468)

Microsoft Office 2010

ProductKnowledge Base article title and number
Excel 2010Security update for Excel 2010 (KB4493148)
Office 2010Security update for Office 2010 (KB4493140)
Office 2010Security update for Office 2010 (KB4486698)
Outlook 2010Security update for Outlook 2010 (KB4486742)
PowerPoint 2010Security update for PowerPoint 2010 (KB4484372)

Microsoft SharePoint Server 2019

ProductKnowledge Base article title and number
Office Online ServerSecurity update for Office Online Server (KB4486750)
SharePoint Server 2019Security update for SharePoint Server 2019 (KB4486751)
SharePoint Server 2019 Language PackSecurity update for SharePoint Server 2019 Language Pack (KB4486752)

Microsoft SharePoint Server 2016

ProductKnowledge Base article title and number
SharePoint Enterprise Server 2016Security update for SharePoint Enterprise Server 2016 (KB4486753)
SharePoint Enterprise Server 2016Security update for SharePoint Enterprise Server 2016 (KB4486721)

Microsoft SharePoint Server 2013

ProductKnowledge Base article title and number
Office Web Apps Server 2013Security update for Office Web Apps Server 2013 (KB4486760)
Project Server 2013Cumulative update for Project Server 2013 (KB4486763)
SharePoint Enterprise Server 2013Cumulative update for SharePoint Enterprise Server 2013 (KB4493137)
SharePoint Foundation 2013Cumulative update for SharePoint Foundation 2013 (KB4486761)
SharePoint Foundation 2013Security update for SharePoint Foundation 2013 (KB4493138)
SharePoint Foundation 2013Security update for SharePoint Foundation 2013 (KB4486696)

Microsoft SharePoint Server 2010

ProductKnowledge Base article title and number
Project Server 2010Cumulative update for Project Server 2010 (KB4493144)
SharePoint Foundation 2010Security update for SharePoint Foundation 2010 (KB4493149)
SharePoint Server 2010Cumulative update for SharePoint Server 2010 (KB4493146)
SharePoint Server 2010Security update for SharePoint Server 2010 (KB4486697)
SharePoint Server 2010 Office Web AppsSecurity update for SharePoint Server 2010 Office Web Apps (KB4486704)

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us