News

Microsoft's March Security Rollout Targets 26 Critical Flaws

• By Kurt Mackie
• 03/10/2020

Microsoft addressed about 115 common vulnerabilities and exposures (CVEs) in its March security patches, which mostly affect Windows systems and Microsoft's browsers, plus a bunch of developer components.

Per e-mailed commentary by Todd Schell, a senior product manager for security at Ivanti, there were 79 CVEs for Windows systems and 18 CVEs for Microsoft's browsers in this month's bundle.

Other products getting patches this month include Microsoft Office, Visual Studio, Dynamics 365 Business Central and SharePoint Server, among others, as shown in Microsoft's "Security Update Summary." The more complete "Security Update Guide" offers 156 pages of details.

Of the total this month, about 26 CVEs are deemed "Critical" by Microsoft, while 88 are considered "Important," per a count by Trend Micro's Zero Day Initiative blog. There's just one vulnerability (CVE-2020-0765) for Remote Desktop Connection Manager that's deemed to be "Moderate," but there's no patch for it as Microsoft has "deprecated" (stopped developing) that application.

None of the CVEs in this month's security bundle were previously publicly known or under active attack.

Microsoft held back on a patch for a remote code execution (RCE) vulnerability in Server Message Block 3. The vulnerability is labeled as CVE-2020-0796, and apparently was briefly disclosed by the Cisco Talos security blog before getting removed. The description is reproduced in this Twitter post, as well as this one.

Critical Patches
The standout in this month's patch bundle, according to Dustin Childs of ZDI, is a Critical vulnerability in Microsoft Word (CVE-2020-0852). This vulnerability can lead to RCE, but no user interaction with an attached file is necessary, according to Childs. "Instead, simply viewing a specially crafted file in the Preview Pane could allow code execution at the level of the logged-on user," he wrote.

His description seems to differ somewhat from Microsoft's security bulletin, which stated that "to exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Word software."

A few other Critical vulnerabilities were highlighted by security researchers. There's a Critical .LNK file vulnerability (CVE-2020-0684) this month, which requires opening a specially crafted .LNK file that could be delivered by "a removable drive or remote share," according to the Cisco Talos security blog. Microsoft had issued a .LNK file patch last month, too, but this one's not the same thing, according to analysis by Childs.

The ChakraCore scripting engine in Microsoft's browsers got multiple patches this month for memory corruption issues deemed Critical. The Talos blog listed the vulnerabilities as CVE-2020-0823, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829, CVE-2020-0831, CVE-2020-0832, CVE-2020-0833 and CVE-2020-0848

There are plenty of Critical CVEs this month that are associated with developer components. The GDI+ component used for C and C++ has two RCE vulnerabilities, namely CVE-2020-0881 and CVE-2020-0883. The VBScript engine has CVE-2020-0824 and CVE-2020-0847 RCE vulnerabilities. The Microsoft Media Foundation has four memory corruption vulnerabilities -- namely CVE-2020-0801, CVE-2020-0807, CVE-2020-0809 and CVE-2020-0869 -- that could be used to install programs or change or delete data, according to the Talos blog.

The Dynamics 365 Business Central product's Critical vulnerability (CVE-2020-0905) "could allow attackers to execute arbitrary shell commands on a target system," according to Childs, although the exploit isn't straightforward. The victim would have to connect to a "malicious" Dynamics 365 Business Central client for this attack to succeed.

Other Details
As has become usual, Microsoft released Servicing Stack Updates this month. They commonly get listed in advisory ADV990001. Servicing Stack Updates are patches for the update mechanism itself. They're deemed "Critical" to apply by Microsoft.

Microsoft does list March patches for unsupported Windows systems, such as Windows 7 and Windows Server 2008. Presumably, though, organizations would need to have purchased Extended Security Updates beforehand to get those patches.

The U.S. Department of Homeland Security's CISA group issued an announcement on Tuesday that a vulnerability (CVE-2020-0688) in Microsoft Exchange Servers represents "an attractive target for malicious cyber actors." It's an Important-rated CVE, and Microsoft had issued a patch for it last month. However, CISA pointed to the U.S. National Security Agency's March 6 Twitter post, which stated that "if unpatched, an attacker with email credentials can execute commands on your server." Apparently, this flaw is getting used by an advanced persistent threat group, allegedly located in China, per a Kaspersky Threatpost article.

Lastly, Microsoft issued a couple of announcements this week for its partners that apparently explain some measures it has taken to ensure the success of hardware drivers for Windows systems. Bad drivers have been troublesome issues for Windows 10 feature updates in the recent past. One measure checks the successful download of drivers via the Windows Update service within the last 28 days. Another measure is a "gradual rollout process" for drivers based on hardware, which kicked off this month. The gradual rollout process is elucidated in this document.