February 2020 Patch Tuesday: Microsoft fixes 99 vulnerabilities, Adobe 42

February 2020 Patch Tuesday is here. To mark the occasion, Microsoft has released fixes for 99 vulnerabilities – 12 critical, one of which is being exploited in the wild – and Adobe 42, most of which are critical and none actively exploited.

Adobe patches

Security updates have been provided for various products:

• Framemaker, a document processor designed for writing and editing large or complex documents
• Acrobat and Reader (for PDF file creation, encryption, publishing, viewing, printing, etc.)
• Flash Player (the name says it all)
• Digital Editions (reader software for eBooks and other digital publications)
• Experience Manager (a web-based client-server system for building, managing and deploying commercial websites and related services).

Given that 38 out of the 42 flaws patched by Adobe this Tuesday are rated critical, I would venture to say that all the updates except the Experience Manager should be implemented quickly.

That said, users and admins should definitely give priority to some of Microsoft’s patches.

Microsoft patches

As noted before, Microsoft fixed nearly 100 vulnerabilities this Tuesday, interspersed through a number of products: Windows, Edge, IE, SQL Server, Exchange Server, Office, and more.

Five of the vulnerabilities fixed in this batch are publicly known and one (critical) is under active attack: CVE-2020-0674.

CVE-2020-0674 is a memory corruption vulnerability that allows remote code execution and affects Internet Explorer. Its existence and exploitation in “limited targeted attacks” was revealed mid-January, through an out-of-band security advisory.

At the time, Microsoft offered mitigation steps, but no fix. A few days later ACROS Security released a micropatch that implements the workaround. Now, finally, Microsoft released fixes.

“Even if you don’t use IE, you could still be affected by this bug though embedded objects in Office documents. Considering the listed workaround – disabling jscript.dll – breaks a fair amount of functionality, you should prioritize the testing and deployment of this patch,” Trend Micro’s Zero Day Initiative’s Dustin Childs advised.

He also singled out CVE-2020-0688, a code execution bug affecting Microsoft Exchange, as critical, as it’s easily exploitable (via a specially crafted email) and CVE-2020-0729, a RCE impacting link files (.LNK), similar to the one used to deliver Stuxnet to air-gapped systems.

Jimmy Graham, Senior Director of PM, Vulnerability at Qualys, pointed out CVE-2020-0662, a Windows RCE flaw, as worthy of attention and a quick implementation of the offered fix. The flaw can lead to RCE if an attacker has Domain User credentials.

“While this vulnerability is labeled as ‘Exploitation Less Likely,’ this vulnerability can be attacked over the network with no user interaction according to the CVSS Vector Strings set by Microsoft. The impacted service is not stated in the bulletin. Based on the information given, this should be prioritized across all Windows servers and workstations,” he advised.

He also urged admins to prioritize Scripting Engine, LNK files, and Media Foundation patches for workstation-type devices.

“Overall, this is a very heavy Patch Tuesday on the Microsoft end,” noted Jay Goodman, Technical Marketing Manager at Automox.

“The race to patch critical vulnerabilities on your systems within the next 72 hours is on. Attackers will have no shortage of exploitable vulnerabilities and new attack vectors to bring to bear in the coming days with nearly every build of Windows accounted for with critical vulnerabilities.”