Microsoft fixes 26 critical vulnerabilities in another heavy Patch Tuesday

Microsoft has fixed 115 CVE-numbered vulnerabilities in its March 2020 Patch Tuesday update; 26 of them labelled as critical, affecting Windows, Edge (HTML and Chromium), ChakraCore, Internet Explorer, Microsoft Exchange Server, Microsoft Office, Office Services and Web Apps, Azure DevOps, Windows Defender, Visual Studio, Open Source Software, Azure, and Microsoft Dynamics, among other things.

The third Patch Tuesday of 2020 was another heavyweight – in fact, it will once again be the largest in Microsoft’s history, following significant disclosures in January and February. For once, it contains no zero day exploits, although this should not be taken as a sign it can be delayed, and some of the vulnerabilities should be sources of serious concern.

Satnam Narang, principal research engineer at Tenable, said: “This month’s Patch Tuesday is a considerable release, containing fixes for 115 vulnerabilities with 26 of them rated as critical and 88 rated as important. In contrast, Microsoft released fixes for 99 vulnerabilities, with only 16 rated as critical.

“Of the 58 elevation of privilege vulnerabilities patched this month, the most severe are CVE-2020-0788, CVE-2020-0877 [and] CVE-2020-0887,” said Narang. “These are elevation of privilege flaws in Win32k due to improper handling of objects in memory.

“Elevation of privilege vulnerabilities are leveraged by attackers post-compromise, once they’ve managed to gain access to a system in order to execute code on their target systems with elevated privileges,” he said.

“Microsoft also patched several memory corruption vulnerabilities. The most notable ones include one in Internet Explorer (CVE-2020-0824), and two in its scripting engine (CVE-2020-0832, CVE-2020-0833) due to the way objects are handled in memory.

“These vulnerabilities would provide an attacker the ability to execute code with the privileges of the current user,” said Narang. “In order to exploit the flaws, an attacker would either need to use social engineering tactics to convince their victim to visit a malicious website hosting the exploit code or compromise an existing website directly or through the compromise of an advertiser.”

Todd Schell, senior product manager for security at Ivanti, said that attention should be paid to CVE-2020-0765, a vulnerability in Remote Desktop Connection Manager for which Microsoft does not plan to release an update since the product has been deprecated.

“Their guidance is to use caution if you continue to use Remote Desktop Connection Manager, but Microsoft recommends moving to supported Remote Desktop clients,” said Schell.

Schell also noted several information disclosure vulnerabilities in several components of the Windows operating system that could allow hackers to read from the file system, uninitialised memory or even memory contents in kernel space from a user mode process. “A couple of these vulnerabilities could also allow an attacker to collect information that could allow them to predict addressing of memory,” he said.

“Ivanti’s recommendation is to focus on the Windows OS and browser updates along with Office as the top priorities this month.”

Qualys product manager Animesh Jain said she thought Microsoft had mis-classified a couple of the disclosed vulnerabilities, notably CVE-2020-0872, a remote code execution vulnerability in Application Inspector.

“This vulnerability can allow an attacker to execute their code on a target system if they can convince a user to run Application Inspector on code that includes a specially crafted third-party component,” she said. “This patch should be prioritised, despite being labelled as ‘important’ by Microsoft.”

Jain also drew attention to another remote code execution vulnerability, CVE-2020-0905 in Dynamics Business Central, which could allow attackers to execute arbitrary shell commands on a target system. “While this vulnerability is labelled as ‘exploitation less likely,’ considering the target is likely a critical server, this should be prioritised across all Windows servers and workstations,” she said.