Internet Explorer zero day among 99 Patch Tuesday problems

Microsoft has released 99 security fixes, 12 flagged as critical, in its February Patch Tuesday update, among them a critical vulnerability in the Internet Explorer web browser that is known to have already been exploited in the wild.

First disclosed on 17 January, CVE-2020-0674 is a remote code execution vulnerability in the way the scripting engine handles objects in memory in Internet Explorer. It corrupts memory in a way that allows an attacker to execute arbitrary code in the context of the current user, and gain the same user rights – problematic if the user has admin privileges.

In a web-based attack scenario, a cyber criminal could set up a website to exploit the vulnerability and convince a user to view the website by sending a phishing email, for example.

February’s Patch Tuesday also includes updates for Microsoft Windows, Microsoft Edge (both EdgeHTML and Chromium versions), ChakraCore, Microsoft Exchange Server, Microsoft SQL Server, Microsoft Office and Microsoft Office Services and Web Apps, Windows Malicious Software Removal Tool, and Windows Surface Hub.

It follows an eventful January update, which marked not only the end of support for Windows 7, but also fixed a critical remote desktop flaw, and, notably, a cryptographic vulnerability in Windows 10 and Windows Server 2016, to which it was alerted by the US National Security Agency in an almost unprecedented move.

The February update is again notable for being one of the largest-ever Patch Tuesdays, but according to Todd Schell, senior security product manager at Ivanti, most of the CVEs contained within it can be fixed by applying just a few updates.

“On average, your OS updates will resolve around 50 CVEs,” said Schell. “The exception is Windows 10, which, along with IE and Edge, will resolve 88 CVEs. What is more important to talk about is which of these 99 CVEs are most critical to resolve and what products you need to update to plug those holes. Along with Microsoft, Adobe and Mozilla also have security updates this month.

“Five of the CVEs (including the zero-day) have been publicly disclosed, meaning that enough information has been made publicly available to give threat actors a head start on figuring out how to exploit them. By updating the operating system or browsers with a couple of patches per system, you can take the teeth out of the majority of the risk this month.”

He added: “The really good news in all of this is that 99 CVEs really doesn’t mean a whole lot of extra work for admins this month. The normal updates still apply. OS, browsers and Office will resolve most of your vulnerabilities from the Microsoft side. SQL and Exchange Admins do get a bit of extra work this month as both of those products are included in the updates released.”

Schell said there might still be scope for some confusion with regard to Windows 7, Server 2008 and 2008 R2 updates, which he noted are still being documented publicly and listed in the standard WSUS (Windows Server Update Services) catalogue.

He pointed out that this did not mean everyone had access to said updates, and, as per previous reporting, will still need to be paid-up subscribers to Microsoft’s Extended Security Updates (ESU) scheme to meet the specific criteria for the free updates outlines. There is also an ESU licence preparation patch that users must install to prepare for ESU updates.