Otto background

Automox Patch Tuesday Breakdown: February 2020

Microsoft released fixes for 99 security vulnerabilities this month, 12 of which are rated critical -- nearly double the number of patches we saw in January. February’s update also includes a fix for zero-day vulnerability in Internet Explorer that’s being actively exploited in the wild. Microsoft suggests patching for these vulnerabilities as soon as possible.

Timely patching is essential to overall cyber hygiene, but in the face of a zero-day vulnerability, speed becomes especially important. A zero-day vulnerability is already being exploited by malicious actors at the time of disclosure. Available patches should be applied as quickly as possible to reduce your risks.

In addition to a heavy patch load from Microsoft, there are 42 security updates from Adobe to contend with this month -- many of which are critical, but fortunately, are not active exploits.

This is a heavy Patch Tuesday on the Microsoft end, so the race to patch critical vulnerabilities on your systems within the next 72 hours is on. Attackers will have no shortage of exploitable vulnerabilities and new attack vectors to bring to bear in the coming days with nearly every build of Windows accounted for with critical vulnerabilities.

Be sure to check out last month’s breakdown for coverage of January’s Patch Tuesday update.

Fix for zero-day vulnerability in Internet Explorer

A zero-day vulnerability in Internet Explorer that was first disclosed back in January receives a necessary patch in February’s security update. Known as “CVE-2020-0674”, this is a scripting engine memory corruption vulnerability. Microsoft reports that a remote code execution vulnerability exists in the way Internet Explorer’s scripting engine handles objects in memory.

One way attackers can exploit this vulnerability is by tricking users into visiting specially crafted websites designed to target this flaw in Internet Explorer. If this flaw is successfully exploited, attackers can execute arbitrary code and gain user privileges within the context of the current user. If that user has administrative-level privileges, a malicious actor can gain control of the system -- allowing them to view, change or delete data, install new programs and create new user accounts.

As experts note, you don’t have to be using Internet Explorer to be affected by this security bug; even embedded documents in Microsoft Word can be used by attackers to exploit this flaw.

There were three other publicly disclosed vulnerabilities reported by Microsoft, but they were not actively getting exploited in the wild. The publicly disclosed vulnerabilities include:

  • CVE-2020-0683 - Windows Installer Elevation of Privilege Vulnerability
  • CVE-2020-0686 - Windows Installer Elevation of Privilege Vulnerability
  • CVE-2020-0706 - Microsoft Browser Information Disclosure Vulnerability

CVE-2020-0683 and CVE-2020-0686 are both elevation of privilege vulnerabilities that occur in Windows Installer when MSI packages process symbolic links.

To exploit, attackers would need to log into the target system and then run a specially crafted application. If successful, attackers could then circumvent access restrictions for adding and removing files -- meaning, a malicious actor can then add or remove files from a victim system at will. Microsoft resolves this issue by changing how Windows Installer handles reparse points.

CVE-2020-0706 is an information disclosure vulnerability occurring in affected Microsoft browsers when they handle cross-origin requests. Attackers can exploit this vulnerability by hosting a malicious website designed to target this flaw -- or by creating specially crafted content and getting it hosted on other sites. In either scenario, the attacker must convince a user to view their malicious content. For example, an attacker may trick a user into following a link to their malicious website.

The security update from Microsoft addresses this issue by correcting how affected browsers handle cross-origin requests.

More critical updates from Microsoft

All told, Microsoft has released 99 security updates and 12 of them are rated critical. In addition to the zero-day vulnerability released this month, critical updates from Microsoft include:

This month, we’re seeing a number of remote code execution vulnerabilities:

  • CVE-2020-0662 is a remote code execution vulnerability that exists in the way Windows handles objects in memory. Attackers with domain user accounts can take advantage of this flaw by pushing requests designed to cause Windows to run arbitrary code with elevated permissions. If an attacker were to successfully exploit this flaw, they could run arbitrary code on the victim system with elevated permissions. The security update corrects this issue by changing how Windows handles objects in memory.
  • CVE-2020-0673 is a remote code execution vulnerability that exists in the way Internet Explorer’s scripting engine handles objects in memory. One way attackers can exploit this flaw is by getting users to visit a specially crafted malicious website. If the user has administrative rights, the attacker can seize control of the target system -- allowing them to view or change data, install programs and create new user accounts. This flaw is addressed by correcting how the scripting engine handles objects in memory.
  • CVE-2020-0681 and CVE-2020-0734 are remote code execution vulnerabilities that exist in Windows Remote Desktop Client when users connect to a malicious server. To exploit these vulnerabilities, attackers would need to trick users into connecting to a malicious server -- whether that be through DNS poisoning, a MITM (man-in-the-middle) attack or social engineering. An attacker can also compromise a legitimate server, run malicious code on it and lie in wait.

If exploitation is successful, attackers can use this flaw to run arbitrary code on the connecting client, allowing them to view and change data, create new user accounts and install programs.

  • CVE-2020-0688 is another remote code execution vulnerability, which exists in Microsoft Exchange software when it fails to handle objects in memory properly. Attackers can exploit this flaw by sending a specially crafted email to an affected Exchange server. The security update resolves this issue by correcting how Microsoft Exchange handles objects in memory.
  • CVE-2020-0710, -0711, -0712 , -0713 and -0767 are remote code execution vulnerabilities that exist in the way ChakraCore scripting engine handles objects in memory. With successful exploitation, attackers can run arbitrary code within the context of the current user, as well as gain the same user rights as that user. These flaws are addressed by correcting how ChakraCore handles objects in memory.
  • CVE-2020-0729 is a remote code execution vulnerability which exists in Microsoft Windows, which can allow for remote code execution if a .LNK file is processed. As Microsoft explains, attackers can exploit this flaw by presenting users with “a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive (or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker’s choice, on the target system.” Successful exploitation could allow the attacker to gain the same rights as the local user. This flaw is resolved by correcting the processing of .LNK references.

This month, Microsoft also released a critical update for a memory corruption vulnerability. CVE-2020-0738 is a memory corruption vulnerability that exists when Windows Media Foundation handles objects in memory incorrectly. This vulnerability can be exploited in a variety of ways, including getting users to open malicious documents or visit malicious webpages. Successful exploitation could allow attackers to gain full user rights, giving them access to data and the ability to install programs and create new user accounts.

In addition to the vulnerabilities rated critical this month, there are also several important security updates to focus on. As experts note, CVE-2020-0618 and CVE-2020-0662 are ones to keep an eye on. CVE-2020-0662 doesn’t require any user interaction -- so while it may be rated lower than other vulnerabilities released for February, it should still be on your radar.

While these updates may not be zero-days, critical and important patches should be applied as quickly as possible.

42 Security updates from Adobe

In addition to nearly 100 updates from Microsoft, Adobe has released 42 security updates for February. These include fixes for bugs in Framemaker, Experience Manager, Adobe Digital Editions, Flash, and Acrobat and Reader.

Of all 42 bug fixes, there are 21 critical updates for Adobe Framemaker alone. Many of these are Out of Bounds bugs which could allow for code execution. For Acrobat and Reader, Adobe has released 17 updates, the worst of which could also allow for code execution.

Digital Editions gets two fixes -- one being a command injection vulnerability that could allow for code execution. Flash gets a single security update for a bug that could lead to code execution with user privileges. Experience Manager gets a singular update as well; a fix for a Denial of Service (DoS) bug.

February’s Patch Tuesday update is no slouch. As the largest security update of the year so far, February brings nearly 100 updates for Microsoft alone -- and over 40 from Adobe. Many of these security updates are critical and should be addressed as soon as possible.

About Automox Automated Patch Management

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

Dive deeper into this topic