December’s Microsoft Patch Tuesday has arrived

Microsoft has released the final Patch Tuesday batch of security updates for the year.

Everything considered, December’s batch of updates is relatively lightweight.

Of the 58 updates, nine were labelled as critical, as failing to patch them leaves the door open for a malicious actor to gain unauthorised access to your computer.

As luck would have it, there are no reports of them being actively exploited.

The most critical of the bunch are in the following systems:

  • SharePoint Server
  • Microsoft Exchange Server
  • Server 2016
  • Windows 10

In addition, Microsoft has released an advisory on how to mitigate the DNS spoofing weakness risk in Windows Server 2008 through 2019 (this is available on its official website).

Another vulnerability worth noting resides in Microsoft Office.

Allan Liska, senior security architect at Recorded Future, warned that if exploited, the attacker would be able to run arbitrary code on the victim’s machine.

Microsoft Teams’ ‘zero-click’ vulnerability is another that you should pay attention to.

All it takes to exploit this cross-platform bug is to send a specially crafted chat message to the intended victim – this is enough to let the attacker execute any code of their choosing.

The bug was originally reported by Oskars Vegeris in August, and it was addressed by Microsoft in October.

This is only one out of five one-click remote execution bugs – it is not known whether the rest of them have been addressed yet.

Adobe has also chimed in with the following security updates pertaining to:

  • Experience Manager
  • Prelude
  • Lightroom

As Adobe Flash Player is scheduled for retirement at the end of the year, it did not receive any security updates.

As a matter of fact, Microsoft is working on removing it from its browsers, and both Google and Firefox are already blocking it by default.