It’s March 2020 Patch Tuesday and Microsoft has dropped fixes for 115 CVE-numbered flaws: 26 are critical, 88 important, and one of moderate severity. The good news is that none of them under active attack.
For the time being, Adobe seems to be skipping this Patch Tuesday and there’s no indication whether the customary security updates are just delayed or there won’t be any at all in the coming days.
Last month, Microsoft plugged 99 security holes in a variety of its products. Unexpectedly, this month the number is even higher.
The 26 critical flaws all allow remote code execution, but some are more easily exploited than others.
For example, CVE-2020-0852 affects Microsoft Word and exploitation can be achieved without the target having to open a specially crafted file that would trigger it.
“Instead, simply viewing a specially crafted file in the Preview Pane could allow code execution at the level of the logged-on user,” noted Trend Micro’s Zero Day Initiative’s Dustin Childs, and pointed out that having a bug that doesn’t require tricking someone into opening a file should be enticing to malware and ransomware authors.
Also, once again, the company fixed yet another RCE (CVE-2020-0684) that can be triggered by a vulnerable target system process a specially crafted .LNK file.
CVE-2020-0872 is a RCE affecting Microsoft Application Inspector (version v1.0.23 or earlier), the recently released source code analyzer that comes in handy for checking open source components for unwanted or risky features.
“To exploit the vulnerability, an attacker needs to convince a user to run Application Inspector on source code that includes a malicious third-party component,” Microsoft explained.
“Although Microsoft doesn’t list this as being publicly known at the time of release, it appears this was actually fixed in version 1.0.24, which released back in January,” Childs noted. “It’s not clear why it’s being included in this month’s patch release, but if you use Application Inspector, definitely go grab the new version.”
CVE-2020-0905 is a RCE affecting the Dynamics Business Central client and could allow attackers to execute arbitrary shell commands on a target system.
“While this vulnerability is labeled as ‘Exploitation Less Likely,’ considering the target is likely a critical server, this should be prioritized across all Windows servers and workstations,” urged Animesh Jain, Product Manager of Vulnerability Signatures at Qualys.
Childs is of the same mind. “Exploitation of this Critical-rated bug won’t be straightforward, as an authenticated attacker would need to convince the target into connecting to a malicious Dynamics Business Central client or elevate permission to System to perform the code execution. Still, considering the target is likely a mission-critical server, you should test and deploy this patch quickly,” he added.
It must also be pointed out that, in this batch of fixes, there is one for a spoofing vulnerability in Microsoft Exchange Server, but this flaw is less serious than CVE-2020-0688, a fix for which was released in February but is still being actively exploited in the wild. Admins are advised to plug that security hole ASAP (if they haven’t already).
Mozilla updates Firefox
Adobe might not have released security updates on this March 2020 Patch Tuesday, but Mozilla released Firefox 74, with TLS 1.0 and TLS 1.1 disabled by default, stricter rules for add-ons, a tool for preventing Facebook from tracking users around the web, and several developer features.
No critical flaws have been fixed in this edition of the popular browser and Firefox ESR68.6 (also released today).
Richard Melick, Sr. Technical Product Manager, Automox, pointed out that while none of the Firefox flaws patched this time are under active exploitation, the time to weaponization averages 7 days, so users/admins should upgrade as soon as possible.
“Impacting the iPhone, CVE-2020-6812 stood out as a vulnerability that would allow a website with camera or microphone access to gather information on the user through the connected AirPods. While not the most critical, this information could be gathered and help adversaries track a user and further gather more personally identifiable information if left unpatched. Essentially, if you’re listening in, someone else may be as well,” he added.