====================================================================
CERT-Renater
Note d'Information No. 2020/VULN670
_____________________________________________________________________
DATE : 09/12/2020
HARDWARE PLATFORM(S): /
OPERATING SYSTEM(S): Systems running Microsoft Windows,
ChakraCore,
Microsoft Edge (EdgeHTML-based),
Microsoft Edge (Chromium-based),
Microsoft Edge for Android,
Microsoft Office,
Microsoft Office Web Apps,
Microsoft 365 Apps for Enterprise,
Microsoft Excel, Microsoft PowerPoint,
Microsoft Word, Microsoft Outlook,
Microsoft Office Online Server,
Microsoft SharePoint Enterprise Server,
Microsoft SharePoint Foundation,
Microsoft SharePoint Server,
Microsoft Exchange Server,
Visual Studio Code, Microsoft Visual Studio,
Dynamics 365 for Finance and Operations,
Microsoft Dynamics 365 (on-premises),
Microsoft Dynamics NAV 2015,
Team Foundation Server,
Azure Sphere, Azure DevOps Server,
C SDK for Azure IoT, Azure SDK for Java,
AV1 Video Extension, HEIF Image Extension,
HEVC Video Extensions, Raw Image Extension,
WebP Image Extension.
=====================================================================
https://portal.msrc.microsoft.com/fr-FR/security-guidance
https://msrc.microsoft.com/update-guide/releaseNote/2020-Dec
https://msrc.microsoft.com/update-guide/vulnerability/ADV990001
https://msrc.microsoft.com/update-guide/vulnerability/ADV200002
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1325
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17049
_____________________________________________________________________
********************************************************************
Microsoft Security Update Summary for December 8, 2020
Issued: December 8, 2020
********************************************************************
This summary lists security updates released for December 8, 2020.
Complete information for the December 2020 security update release
Can be found at
.
Please note the following information regarding the security updates:
* For information regarding enabling Windows 10, version 1909 features,
please see Windows 10, version 1909 delivery options:
https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-
version-1909-delivery-options/ba-p/1002660. Note that these versions of
Windows 10 share a common core operating system with an identical set of
system files: 1903 and 1909; 2004 and 20H2. They will also share the
same security update KBs.
* Windows 10 updates are cumulative. The monthly security release
includes all security fixes for vulnerabilities that affect Windows
10, in addition to non-security updates. The updates are available
via the Microsoft Update Catalog:
https://catalog.update.microsoft.com/v7/site/Home.aspx.
* For information on lifecycle and support dates for Windows 10
operating systems, please see the Windows Lifecycle Facts Sheet:
https://support.microsoft.com/en-us/help/13853/windows-
lifecycle-fact-sheet).
* A list of the latest servicing stack updates for each operating
system can be found in ADV990001: https://msrc.microsoft.com/update-
guide/vulnerability/ADV990001. This list will be
updated whenever a new servicing stack update is released. It is
important to install the latest servicing stack update.
* Updates for Windows RT 8.1 and Microsoft Office RT software are
only available via Windows Update:
https://go.microsoft.com/fwlink/?LinkId=21130.
* In addition to security changes for the vulnerabilities, updates
include defense-in-depth updates to help improve security-related
features.
* Customers running Windows 7, Windows Server 2008 R2, or Windows Server
2008 need to purchase the Extended Security Update to continue receiving
security updates.
See https://support.microsoft.com/en-us/help/4522133/procedure-to-
continue-receiving-security-updates for more information.
* There is a change coming with regards to Servicing Stack Updates.
Please see Simplifying SSUs for more information.
Critical Security Updates
============================
ChakraCore
Microsoft Edge (EdgeHTML-based)
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
Windows Server, version 2004 (Server Core installation)
Windows Server, version 20H2 (Server Core Installation)
Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft Exchange Server 2016 Cumulative Update 17
Microsoft Exchange Server 2016 Cumulative Update 18
Microsoft Exchange Server 2019 Cumulative Update 6
Microsoft Exchange Server 2019 Cumulative Update 7
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Foundation 2010 Service Pack 2
Microsoft SharePoint Foundation 2013 Service Pack 1
Microsoft SharePoint Server 2019
Dynamics 365 for Finance and Operations
Important Security Updates
============================
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for ARM64-based Systems
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Microsoft 365 Apps for Enterprise for 32-bit Systems
Microsoft 365 Apps for Enterprise for 64-bit Systems
Microsoft Excel 2010 Service Pack 2 (32-bit editions)
Microsoft Excel 2010 Service Pack 2 (64-bit editions)
Microsoft Excel 2013 RT Service Pack 1
Microsoft Excel 2013 Service Pack 1 (32-bit editions)
Microsoft Excel 2013 Service Pack 1 (64-bit editions)
Microsoft Excel 2016 (32-bit edition)
Microsoft Excel 2016 (64-bit edition)
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Microsoft Office 2019 for 32-bit editions
Microsoft Office 2019 for 64-bit editions
Microsoft Office 2019 for Mac
Microsoft Office Online Server
Microsoft Office Web Apps 2010 Service Pack 2
Microsoft Office Web Apps 2013 Service Pack 1
Microsoft Outlook 2010 Service Pack 2 (32-bit editions)
Microsoft Outlook 2010 Service Pack 2 (64-bit editions)
Microsoft Outlook 2013 RT Service Pack 1
Microsoft Outlook 2013 Service Pack 1 (32-bit editions)
Microsoft Outlook 2013 Service Pack 1 (64-bit editions)
Microsoft Outlook 2016 (32-bit edition)
Microsoft Outlook 2016 (64-bit edition)
Microsoft PowerPoint 2010 Service Pack 2 (32-bit editions)
Microsoft PowerPoint 2010 Service Pack 2 (64-bit editions)
Microsoft PowerPoint 2013 RT Service Pack 1
Microsoft PowerPoint 2013 Service Pack 1 (32-bit editions)
Microsoft PowerPoint 2013 Service Pack 1 (64-bit editions)
Microsoft PowerPoint 2016 (32-bit edition)
Microsoft PowerPoint 2016 (64-bit edition)
Microsoft SharePoint Server 2010 Service Pack 2
Office Online Server
Azure DevOps Server 2019 Update 1.1
Azure DevOps Server 2019.0.1
Azure DevOps Server 2020
Azure Sphere
C SDK for Azure IoT
Azure SDK for Java
Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 31
Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
Microsoft Visual Studio 2019 version 16.0
Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)
Microsoft Visual Studio 2019 version 16.7 (includes 16.0 - 16.6)
Microsoft Visual Studio 2019 version 16.8
Visual Studio Code Language Support for Java Extension
Visual Studio Code Remote - SSH Extension
Visual Studio Code TS-Lint Extension
Team Foundation Server 2015 Update 4.2
Team Foundation Server 2017 Update 3.1
Team Foundation Server 2018 Update 1.2
Team Foundation Server 2018 Update 3.2
Microsoft Dynamics 365 (on-premises) version 8.2
Microsoft Dynamics 365 (on-premises) version 9.0
Microsoft Dynamics NAV 2015
Moderate Security Updates
============================
Microsoft Edge for Android
Other Information
=================
Recognize and avoid fraudulent email to Microsoft customers:
=============================================================
If you receive an email message that claims to be distributing
a Microsoft security update, it is a hoax that may contain
malware or pointers to malicious websites. Microsoft does
not distribute security updates via email.
The Microsoft Security Response Center (MSRC) uses PGP to digitally
sign all security notifications. However, PGP is not required for
reading security notifications, reading security information, or
installing security updates. You can obtain the MSRC public PGP key
at
.
********************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
********************************************************************
Microsoft respects your privacy. Please read our online Privacy
Statement at
.
If you would prefer not to receive future technical security
notification alerts by email from Microsoft and its family of
companies please visit the following website to unsubscribe:
.
These settings will not affect any newsletters you've requested or
any mandatory service communications that are considered part of
certain Microsoft services.
For legal Information, see:
.
This newsletter was sent by:
Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA
98052
_____________________________________________________________________
**************************************************************************************
Title: Microsoft Security Advisory Notification
Issued: December 8, 2020
**************************************************************************************
Security Advisories Released or Updated on December 8, 2020
======================================================================================
*ADV200013
- ADV200013 | Microsoft Guidance for Addressing Spoofing Vulnerability
in DNS Resolver
- Reason for Revision: Information published.
- Originally posted: December 8, 2020
- Updated: N/A
- Version: 1.0
* ADV990001
- ADV990001 | Latest Servicing Stack Updates
- https://msrc.microsoft.com/update-guide/vulnerability/ADV990001
- Reason for Revision: Advisory updated to announce new versions of
Servicing Stack
Updates are available. Please see the FAQ for details.
- Originally posted: November 13, 2018
- Updated: December 8, 2020
- Version: 29.0
* ADV200002
- ADV200002 | Chromium Security Updates for Microsoft Edge (Chromium-Based)
- https://msrc.microsoft.com/update-guide/vulnerability/ADV200002
- Reason for Revision: Updated advisory to announce a new version of
Microsoft
Edge (Chromium-based). Please see the table for more information.
- Originally posted: January 28, 2020
- Updated: December 8, 2020
- Version: 30.0
======================================================================================
Other Information
=================
Recognize and avoid fraudulent email to Microsoft customers:
======================================================================================
If you receive an email message that claims to be distributing a
Microsoft security update, it is a hoax that may contain malware or
pointers to malicious websites.
Microsoft does not distribute security updates via email.
The Microsoft Security Response Center (MSRC) uses PGP to digitally sign
all security notifications. However, PGP is not required for reading
security notifications, reading security bulletins, or installing
security updates. You can obtain the MSRC
public PGP key at .
**************************************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS
IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES,
EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT
APPLY.
**************************************************************************************
Microsoft respects your privacy. Please read our online Privacy
Statement at
.
If you would prefer not to receive future technical security
notification alerts by email from Microsoft and its family of companies
please visit the following website to unsubscribe:
.
These settings will not affect any newsletters you've requested or any
mandatory service communications that are considered part of certain
Microsoft services.
For legal Information, see:
.
This newsletter was sent by:
Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA
98052
_____________________________________________________________________
**************************************************************************************
Title: Microsoft Security Update Releases
Issued: December 8, 2020
**************************************************************************************
Summary
=======
The following CVEs have undergone a major revision increment:
* CVE-2020-1325
* CVE-2020-1596
* CVE-2020-17049
Revision Information:
=====================
* CVE-2020-1325
- CVE-2020-1325 | Azure DevOps Server and Team Foundation Services
Spoofing Vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1325
- Version 2.0
- Reason for Revision: Microsoft is announcing the availability of the
security update
for Azure DevOps Server 2019 Update 1.1 to address this
vulnerability. Customers
running Azure DevOps Server 2019 Update 1.1 should install the update
to be protected
from this vulnerability.
- Originally posted: November 10, 2020
- Updated: December 8, 2020
- Aggregate CVE Severity Rating: Important
* CVE-2020-1596
- CVE-2020-1596 | TLS Information Disclosure Vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1596
- Version 3.0
- Reason for Revision: To address a known issue customers running
Windows Server 2008 experienced after installing the September 2020
security updates, Microsoft has released the December 2020 Monthly
Rollup and Security Only updates for all affected versions of Windows
Server 2008. Microsoft strongly recommends that customers
enrolled in the Extended Security Update (ESU) program install the
updates to correct this known issue.
- Originally posted: September 8, 2020
- Updated: December 8, 2020
- Aggregate CVE Severity Rating: Important
* CVE-2020-17049
- CVE-2020-17049 | Kerberos KDC Security Feature Bypass Vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17049
- Version 3.0
- Reason for Revision: To comprehensively address CVE-2020-17049,
Microsoft has released the following: December 2020 Security Updates
for all affected Windows 10 servers, Windows Server 2012 R2, and
Windows Server 2012; December 2020 Monthly Rollup updates and
Security Only updates for all affected versions of Windows
Server 2008 R2 and Windows Server 2008. These updates include fixes
for all known issues originally introduced by the November 10, 2020
security updates for CVE-2020-17049. Microsoft strongly recommends
that customers running any of these versions of Windows Server
install the updates and then follow the steps outlined
in https://support.microsoft.com/help/4598347 to enable full
protection on domain controller servers.
- Originally posted: November 10, 2020
- Updated: December 8, 2020
- Aggregate CVE Severity Rating: Important
**************************************************************************************
Other Information
=================
Recognize and avoid fraudulent email to Microsoft customers:
======================================================================================
If you receive an email message that claims to be distributing a
Microsoft security update, it is a hoax that may contain malware or
pointers to malicious websites.
Microsoft does not distribute security updates via email.
The Microsoft Security Response Center (MSRC) uses PGP to digitally sign
all security notifications. However, PGP is not required for reading
security notifications, reading security bulletins, or installing
security updates. You can obtain the MSRC
public PGP key at .
**************************************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS
IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES,
EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT
APPLY.
**************************************************************************************
Microsoft respects your privacy. Please read our online Privacy
Statement at
.
If you would prefer not to receive future technical security
notification alerts by email from Microsoft and its family of companies
please visit the following website to unsubscribe:
.
These settings will not affect any newsletters you've requested or any
mandatory service communications that are considered part of certain
Microsoft services.
For legal Information, see:
.
This newsletter was sent by:
Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA
98052
We would love to get your feedback on your experience with these
security notifications. Please help us improve your security
notifications experience by filling out the form here:
https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR4ekF0eHYitGhfGrzmE_ydpUQUdMQUkzMFQwQzdYSjFBOTlXTjZWMDRRTi4u
If you would prefer not to receive future technical security
notification alerts by email from Microsoft and its family of
companies please visit the following website to unsubscribe:
https://account.microsoft.com/profile/unsubscribe?CTID=0&ECID=ds60sMGKVPFGSDVVFJDkGh54a2IDqKCQwRO9b8VT1dA%3D&K=f8918eed-e218-499c-b7f0-16cfb1d7355a&CMID=null&D=637429659512804304&PID=18015&TID=adfd46f4-992a-45ec-935c-4c9bc4baf506
=========================================================
+ CERT-RENATER | tel : 01-53-94-20-44 +
+ 23/25 Rue Daviel | fax : 01-53-94-20-41 +
+ 75013 Paris | email:cert@support.renater.fr +
=========================================================