Microsoft’s February Patch Tuesday update was much more extensive then has been the norm with 99 CVEs being revealed with 12 considered critical and one fixing a memory corruption zero day in Internet Explorer that is being exploited in the wild.
February is also the first month that Microsoft did not issue a general update for Windows 7 and Server 2008 as each reached its end of service coverage in January. However, the company did post updates for those companies that arranged for an Extended Security Update for their software.
Ivanti’s Todd Schell, senior product manager, security, said the fact that Microsoft included these updates with their overall rollout could cause some confusion as some admins and consumers may mistakenly believe they can fix any issues associated with this now outdated software.
For those whose only concern is with supported software, Schell noted most admins will not have to do much, despite the high number of issues this month, as the updates are pushed automatically. There is one caveat.
“SQL and Exchange admins do get a bit of extra work this month as both of those products are included in the updates released,” he said.
The most prominent issue this month is CVE-2020-0674.
Microsoft issued an advisory notice for CVE-2020-0674 in January stating at the time it was aware of limited targeted attacks in a remote code execution vulnerability in the scripting engine of Internet Explorer across all versions of Windows that would let a hacker obtain the same rights as a current user. CVE-2020-0674 is only rated a moderate threat, but Satnam Narang, senior research engineer at Tenable, told SC Media it is important for organizations to apply the patch as soon as possible.
Additional high-priority critical vulnerabilities patched by Microsoft included CVE-2020-0662, a remote code execution vulnerability exists in the way that Windows handles objects in memory; CVE-2020-0681, a remote code execution vulnerability in the Windows Remote Desktop Client that can be exploited when a user connects to a malicious server; and CVE-2020-0729, a remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed.
Jimmy Graham, senior director of product management, vulnerability at Qualys, said that while CVE-2020-0662 is labeled by Microsoft as less likely to be exploited, “this vulnerability can be attacked over the network with no user interaction. The impacted service is not stated in the bulletin. Based on the information given, this should be prioritized across all Windows servers and workstations.”
CVE-2020-0688, a remote code execution vulnerability in Microsoft Exchange, was picked by Allan Liska, intelligence analyst at Recorded Future, for special consideration. He noted that while it is only rated a important - and not critical – vulnerability he believes it is particularly dangerous because it is likely to be exploited.
“The vulnerability exists in the way Exchange handles objects in memory. A specially crafted email would allow an attacker to exploit the Exchange Server and execute arbitrary code. Microsoft identifies this vulnerability as likely to be exploited,” Liska said.
Graham explained that exploitation of the flaw would lead to arbitrary code execution in the context of the System user, granting an attacker the ability to create a new account, install programs, and view, change or delete data.