This month’s Microsoft Patch Tuesday addresses 115 vulnerabilities with 26 of them labeled as Critical. Of the 26 Critical vulns, 17 are for browser and scripting engines, 4 are for Media Foundation, 2 are for GDI+ and the remaining 3 are for LNK files, Microsoft Word and Dynamics Business. Microsoft also issued a patch for an RCE in Microsoft Word. Adobe has not posted any patches for Patch Tuesday.
On the basis of volume and severity this Patch Tuesday is heavy in weight.
See details of the new detections, including description, consequence and solution.
The Scripting Engine, LNK files (CVE-2020-0684), GDI+(CVE-2020-0831, CVE-2020-0883) and Media Foundation (CVE-2020-0801, CVE-2020-0809, CVE-2020-0807, CVE-2020-0869) patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Microsoft Word RCE
A Remote Code Execution vulnerability (CVE-2020-0852) in Microsoft Word is also covered in today’s patch release. An attacker could exploit the vulnerability using a specially crafted file to perform actions on behalf of the logged-in user with the same permissions as the current user.
Application Inspector RCE
Microsoft has also fixed a Remote Code Execution vulnerability (CVE-2020-0872) in Application Inspector. This vulnerability can allow an attacker to execute their code on a target system if they can convince a user to run Application Inspector on code that includes a specially crafted third-party component. This patch should be prioritized, despite being labeled as “Important” by Microsoft.
Dynamics Business Central RCE
Dynamics Business Central client is affected by a Remote Code Execution vulnerability ( CVE-2020-0905) that could allow attackers to execute arbitrary shell commands on a target system. While this vulnerability is labeled as “Exploitation Less Likely,” considering the target is likely a critical server, this should be prioritized across all Windows servers and workstations.
There are no Adobe patches released for this Month’s Patch Tuesday.
Update March 11, 2020: See Microsoft Windows SMBv3 Remote Code Execution Vulnerability (CVE-2020-0796)