February is the shortest month, even on this leap year, but that doesn’t mean there is a shortage of vulnerabilities to be patched. In fact, Microsoft’s February Patch Tuesday security updates address a large number than usual: a whopping 99 in total.
This includes 72 vulnerabilities in the latest versions of Windows 10, 50 in Windows 8.1, and 47 in Windows 7 for those with ESU (extended security updates) through volume licensing and cloud solution providers, which include security updates for critical and important issues as defined by Microsoft Security Response Center (MSRC) for a maximum of three years after January 14, 2020 (available for purchase for Windows 7 Professional and Enterprise editions only).
On the server-side, we have a similar situation: 73 vulnerabilities patched in Server 2019, 65 in Server 2016, 50 in Server 2012 R2, and 47 in Server 2008 R2 with ESU.
It’s worth noting that computers running Windows 7 or Server 2008 R2 without the purchase of the ESU will not receive updates this month, as support for the OS ended Jan. 14, 2020. You can find out more about ESU on the Microsoft Support website. If you attempt to update a Windows 7 computer that does not have ESU, you may receive an error message that says, “Failure to configure Windows updates. Reverting Changes” and warns you not to turn off the computer.
The good news is that only five of the vulnerabilities addressed this month for Windows client and server operating systems are rated critical. The bad news is that all of these vulnerabilities do affect Windows 7, so those who are unable to update the OS are open to attack.
Windows client and server critical vulnerabilities
Let’s take a look now at each of the critical issues fixed in Microsoft’s February Patch Tuesday:
CVE-2020-0662: Windows Remote Code Execution Vulnerability
This is a memory-handling problem that creates a vulnerability that could be exploited to run arbitrary code with elevated permissions, by creating a specially designed request. It has not been publicly disclosed prior to the patch release, and there are no accounts of it being exploited in the wild. Exploitation is less likely since the attacker would need to have a domain user account. It is, however, designated as critical on all currently supported versions of Windows Server (including server core installations) and the Windows 8.1, 7, and 10 client operating systems. Microsoft hasn’t identified any mitigating factors or workarounds for the issue.
CVE-2020-0681: Remote Desktop Client Remote Code Execution Vulnerability
This is a vulnerability in the Remote Desktop (RDP) client software that is included in Windows. It’s a remote code execution vulnerability by which an attacker could execute arbitrary code on a client computer that connects to a malicious server or a compromised legitimate server. It has not been publicly disclosed prior to the patch release, and there are no accounts of it being exploited in the wild. Exploitation is less likely since the attacker would need to have control of a server and would have to persuade a user to connect to it. It is, however, designated as critical on all currently supported versions of Windows Server (including server core installations) and the Windows 8.1, 7, and 10 client operating systems. Microsoft hasn’t identified any mitigating factors or workarounds for the issue.
CVE-2020-0729: LNK Remote Code Execution Vulnerability
This is a vulnerability in Windows that has to do with the processing of link files (.LNK). It’s another remote code execution vulnerability that can be exploited to run arbitrary code with the same rights as the logged-in user. It has not been publicly disclosed prior to the patch release, and there are no accounts of it being exploited in the wild. Exploitation is less likely since the attacker would need to present the malicious .LNK file to the user and persuade the user to open it. It is, however, designated as critical on all currently supported versions of Windows Server (including server core installations) and the Windows 8.1, 7, and 10 client operating systems. Microsoft hasn’t identified any mitigating factors or workarounds for the issue.
CVE-2020-0734: Remote Desktop Client Remote Code Execution Vulnerability
This is another vulnerability in the Remote Desktop client on Windows that is similar to CVE-2020-0681, described above. Like that one, it works by having the client connect to a malicious or compromised server so the attacker would need to have control of such a server, making it less likely to be exploited. It has not been publicly disclosed prior to the patch release, and there are no accounts of it being exploited in the wild. As with the rest of the vulnerabilities in this list, it is designated as critical on all currently supported versions of Windows Server (including server core installations) and the Windows 8.1, 7, and 10 client operating systems and Microsoft hasn’t identified any mitigating factors or workarounds for the issue.
CVE-2020-0738: Media Foundation Memory Corruption Vulnerability
This last of the five critical Windows vulnerabilities is a memory corruption issue in Windows Media Foundation. WMF is the multimedia framework and platform used to develop applications and components for using digital media on Windows Vista and later operating systems. An attacker could exploit the vulnerability by persuading a user to visit a malicious web site or open a malicious document. Exploitation is less likely such user action is required. It is, however, designated as critical on all currently supported versions of Windows Server (including server core installations) and the Windows 8.1, 7, and 10 client operating systems. Microsoft hasn’t identified any mitigating factors or workarounds for the issue.
Windows web browser vulnerabilities
Microsoft patched seven and three vulnerabilities in the (old) Edge web browser and Internet Explorer 11, respectively.
NOTE: If you’re running the new version of Edge that is based on Chromium, see Google’s Chrome Releases Blog for information on the vulnerabilities fixed in the stable channel update version 80.0.361.48. We also cover each month’s Chromium updates in our monthly roundup of security updates for non-Microsoft products.
The following are the two critical vulnerabilities patched in IE 11:
CVE-2020-0673 and CVE-2020-0674 – both of these are scripting engine memory corruption vulnerabilities that could be exploited to execute remote code in the context of the current user. Exploitation is considered more likely.
Note that CVE-2020-0674 is considered a zero-day vulnerability. Attacks exploiting this vulnerability were detected in January and the company issued security advisory ADV200001 then. These appeared to be targeted attacks against a limited number of victims.
The following are the five critical vulnerabilities patched in the non-Chromium version of Edge:
CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, and CVE-2020-0767 are all scripting engine vulnerabilities in the ChakraCore scripting engine that could be exploited to execute remote code in the context of the current user. Exploitation is considered less likely.
The following four critical vulnerabilities were patched in the Chromium-based version of Edge:
CVE-2020-6378, CVE-2020-6379, CVE-2020-6380, and CVE-2020-0601 – these include two use-after-free issues that allowed a remote attacker to potentially exploit heap corruption, insufficient policy enforcement in extensions that could allow a remote attacker to bypass site isolation, and a spoofing vulnerability in Windows CryptoAPI that could be exploited to make a malicious executable appear to be from a trusted source.
You can find more information and a listing of the non-critical CVEs addressed in the Chromium-based version of Edge in Microsoft Security Advisory ADV200002.
Other products
In addition to the updates for Windows and the web browsers, Microsoft released updates this month for Microsoft Office and Office Web Apps, ASP.NET core, .NET core, .NET Framework, Microsoft Dynamics, and OneDrive for Android.
None of the updates for Office are rated critical. The vulnerabilities patched include:
CVE-2020-0693: Microsoft Office SharePoint XSS Vulnerability
CVE-2020-0694: Microsoft Office SharePoint XSS Vulnerability
CVE-2020-0695: Microsoft Office Online Server Spoofing Vulnerability
CVE-2020-0696: Microsoft Outlook Security Feature Bypass Vulnerability
CVE-2020-0697: Microsoft Office Tampering Vulnerability
CVE-2020-0759: Microsoft Excel Remote Code Execution Vulnerability
CVE-2020-0695: Microsoft Office Online Server Spoofing Vulnerability
All of these are rated Important. More information about these updates can be found through the links or the Security Update Guide in the MSRC portal.
Featured image: Shutterstock / TechGenix photo illustration
