Microsoft addresses a staggering 99 CVEs in the February 2020 Patch Tuesday release. This update contains 17 remote code execution flaws and 12 vulnerabilities rated as critical.
This month’s updates include patches for Microsoft Windows, Microsoft Office, Microsoft Edge, Internet Explorer, Microsoft Exchange Server, Microsoft SQL Server, Microsoft Office Service and Web Apps, Windows Malicious Software Removal Tool and Windows Surface Hub.
Commenting on this Satnam Narang, Senior Research Engineer at Tenable said “This month’s Patch Tuesday release contains updates for a staggering 99 CVEs, 12 of which are rated as critical. This is one of the largest Patch Tuesday releases we’ve seen in recent times.
Microsoft released a patch for CVE-2020-0674, a memory corruption vulnerability in Internet Explorer that Microsoft issued an advisory for in January, cautioning that the flaw had been exploited in the wild.
At the time, Microsoft only provided mitigation instructions and did not release an out-of-band patch. Details about the in-the-wild exploitation of the flaw are still not known, but it is important for organizations to apply these patches as soon as possible.
Additionally, multiple vulnerabilities in Remote Desktop were patched, including two remote code execution vulnerabilities that are likely to be exploited, according to Microsoft.
These flaws, identified as CVE-2020-0681 and CVE-2020-0734, exist in Remote Desktop Client. Exploitation of these requires an attacker to either persuade their victim into connecting to a vulnerable Remote Desktop Server operated by the attacker or plant malicious code on a compromised Remote Desktop Server and wait for the vulnerable user to connect to it.
Microsoft also patched CVE-2020-0688, a memory corruption vulnerability in Microsoft Exchange. To exploit this vulnerability, an attacker would need to send a specially crafted email to a vulnerable Exchange server.
Exploitation of the flaw would lead to arbitrary code execution in the context of the System user, granting an attacker the ability to create a new account, install programs, and view, change or delete data.