Unveiling February 2020: Microsoft’s Essential Patch Tuesday Highlights

Overview
Microsoft has issued security updates to tackle 99 vulnerabilities that impact its Operating System (OS) along with other associated products.

The subsequent vulnerabilities have been categorized as critical and necessitate prompt action:
•    CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, CVE-2020-0767 – These flaws are found in how the scripting engine manages objects in memory within Internet Explorer (IE) and Microsoft Edge. Exploiting these weaknesses could lead to memory corruption, allowing an attacker to execute arbitrary code under the current user’s context. Successful targeting of these vulnerabilities could give an attacker the same user permissions as the current user, resulting in control over the compromised system.
•    CVE-2020-0681, CVE-2020-0734 – These vulnerabilities occur when the Windows Remote Desktop Client connects to a malignant server. Exploitation of these flaws could enable an attacker to execute arbitrary code on the system of the connecting client.
•    CVE-2020-0662 – This flaw is related to how Windows processes objects in memory. An attacker with access to a domain user account could exploit this vulnerability to execute arbitrary code with administrative privileges on the host OS.
•    CVE-2020-0738 – This issue arises when Windows Media Foundation incorrectly manages objects in memory. Successful exploitation could permit an attacker to install software; view, modify, or erase data; or create new accounts with complete user access.
•    CVE-2020-0729 – This vulnerability exists in Microsoft Windows when processing a .LNK file. Successful exploitation might allow an attacker to run arbitrary code on the host OS.

Additionally, this release encompasses a security update for CVE-2020-0674, a zero-day remote code execution vulnerability found in IE. Microsoft has reported that the flaw was leveraged in limited targeted attacks: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001.

To view the comprehensive list of security patches released by Microsoft, please refer to https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Feb.

Impacted Products
The update from Microsoft includes adjustments for the following:

•    Microsoft Windows
•    Microsoft Edge (EdgeHTML-based)
•    Microsoft Edge (Chromium-based)
•    ChakraCore
•    Internet Explorer
•    Microsoft Exchange Server
•    Microsoft SQL Server
•    Microsoft Office and Microsoft Office Services and Web Applications
•    Windows Malicious Software Removal Tool
•    Windows Surface Hub

Consequences
Successful exploitation of these critical vulnerabilities could enable attackers to carry out remote code execution and gain control of the affected systems to conduct malicious activities, including unauthorized

installation of applications, the establishment of unauthorized administrator accounts and the capability to access, modify, or eliminate data.

Advice
Individuals and system administrators of impacted products are highly recommended to implement the security updates without delay.

Sources

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2019-Dec
https://www.bleepingcomputer.com/news/microsoft/microsofts-december-2019-patch-tuesday-fixes-win32k-zero-day-36-flaws/

https://www.zdnet.com/article/microsoft-december-2019-patch-tuesday-plugs-windows-zero-day/