Microsoft issued the February 2020 Security Updates that include 101 unique vulnerability fixes, 13 of those rated critical. The update also includes a patch for an IE zero-day scripting engine vulnerability CVE-2020-0674 disclosed in January.
In all, the security updates address vulnerabilities in multiple Microsoft products:
- ChakraCore
- Internet Explorer
- Microsoft Edge (Chromium-based)
- Microsoft Edge (EdgeHTML-based)
- Microsoft Exchange Server
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft SQL Server
- Microsoft Windows
- Windows Malicious Software Removal Tool
- Windows Surface Hub.
Microsoft has provided patches for each of the vulnerabilities and summarized in the February 2020 Security Updates Release Notes.
Zero-day IE patch
Microsoft confirmed there have been active exploits of an Internet Explorer javascript engine vulnerability CVE-2020-0674. The patch addresses the vulnerability by modifying how the scripting engine handles objects in memory.
“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,” Microsoft said.
The company also provided additional guidance ADV200001 to help organizations with applying the necessary updates.
Critical Exchange patch
A remote code execution vulnerability CVE-2020-0688 exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time.
“Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM,” Microsoft stated in the advisory.
ChakraCore and Edge RCE
Microsoft also patched a ChakraCore remote code execution (RCE) vulnerability CVE-2020-0767.
The Critical vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory and impacts Edge browsers running on Windows 10, Windows Server 2016 and Windows Server 2019.
Critical Remote Desktop RCEs
Microsoft also patched Critical Remote Desktop Client RCE Vulnerabilities CVE-2020-0681, CVE-2020-0734 and CVE-2020-0817.
According to Microsoft, “a remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client.”
Microsoft also confirmed that exploits of each of these vulnerabilities are “more likely.”
Other Critical RCEs
Nearly half dozen of the remaining Critical RCE vulnerabilities affect Microsoft browsers and are related to the way the scripting engine handles objects in memory.
Another RCE vulnerability CVE-2020-0729 could allow remote code execution if a .LNK file is processed.
Last, Microsoft patched a Critical Media Foundation memory corruption vulnerability CVE-2020-0738 that could also result in remote code execution.
Important vulnerabilities
Microsoft also patched a large number (88) of vulnerabilities rated “Important.” The products impacted include Exchange Server, Windows, SQL Server, Browser and System Center.
Finally, 7 moderate vulnerabilities were also patched.
Readers can also check out more vulnerability and patch details in Microsoft’s Security Update Guide.
Updated Sept 15, 2020: this article was updated to also include Microsoft Exchange vulnerability CVE-2020-0688. According to recent Department of Homeland Security (DHS) advisory, this CVE is one of four vulnerabilities most under attack in the past 12 months by Chinese Ministry of State Security (MSS)-affiliated cyber threat actors.
Related Articles
- Chinese threat actors targeting U.S. government agencies and these 4 CVEs
- Microsoft issues security advisory and workaround for Critical IE vulnerability (CVE-2020-0674)
- Microsoft January 2020 Security Updates (includes fix for Windows CryptoAPI vulnerability)
- Threat actors are launching web shell attacks
- The top 20 vulnerabilities to patch now (that are most under attack)