Microsoft has issued one of its largest Patch Tuesday updates for the shortest month of the year, addressing 99 security vulnerabilities across a range of products. Twelve of the bugs are listed as critical – and the rest are rated as being important.
The update includes a patch for the zero-day memory-corruption vulnerability disclosed in late January that’s under active attack. The bug tracked as CVE-2020-0674 is a critical flaw for most Internet Explorer versions, allowing remote code-execution and complete takeover.
“This browser bug impacts IE and the other programs that rely on the Trident rendering engine,” explained Dustin Childs, researcher with Trend Micro’s Zero Day Initiative, in his Patch Tuesday analysis. “Attackers can execute code on affected systems if a user browses to a specially crafted website. Even if you don’t use IE, you could still be affected by this bug though embedded objects in Office documents. Considering the listed workaround – disabling jscript.dll – breaks a fair amount of functionality, you should prioritize the testing and deployment of this patch.”
Also of note: February 2020 marks the first security updates for the new Edge Chromium browser edition. There were 41 vulnerabilities fixed in the Chromium-based Edge version that were technically not part of Patch Tuesday – which brings the total number of bugs fixed by Microsoft this week to 140.
Critical Patches for February 2020
The update includes a wealth of “standout” bugs, according to researcher analyses, including several critical vulnerabilities in addition to the zero day.
According to Jay Goodman, technical marketing manager at Automox, bugs to watch include CVE-2020-0618 and CVE-2020-0662 (only the latter is listed as critical), which are nearly identical remote code-execution (RCE) bugs in SQL Server 2012, 2014 and 2016 (32 and 64 bit) and Windows 7, 8.1, 10, Server 2008, 2012, 2016 and 2019, respectively.
“These vulnerabilities allow attackers to access a system and read or delete contents, make changes or directly run code on the system,” he said via email. “This gives an attacker quick and easy access to not only your organization’s most critical data stored in the SQL server but also a platform to perform additional malicious attacks against other devices in your environment.”
The critical bug can lead to RCE if an attacker has Domain User credentials, according to Jimmy Graham, researcher with Qualys.
“While this vulnerability is labeled as ‘exploitation less likely,’ this vulnerability can be attacked over the network with no user interaction according to the CVSS Vector Strings set by Microsoft,” he explained in an analysis. “The impacted service is not stated in the bulletin. Based on the information given, this should be prioritized across all Windows servers and workstations.”
“Exploitation of these requires an attacker to either persuade their victim into connecting to a vulnerable Remote Desktop Server operated by the attacker, or plant malicious code on a compromised Remote Desktop Server and wait for the vulnerable user to connect to it,” Satnam Narang, senior research engineer at Tenable, explained via email.
Richard Tsang, senior software engineer at Rapid7, told Threatpost that CVE-2020-0734 is a critical Windows Remote Desktop Client vulnerability that exists in how connection requests are handled.
“The stream of Windows Remote Desktop vulnerabilities continues, albeit having slowed down,” he said. “In this scenario, a compromised legitimate server (or a malicious server) can be used to trigger the remote code execution. Given the extra eyes on RDP vulnerabilities of late, prioritizing operating system patches on this front would be a prudent move.”
One other critical bug to note is CVE-2020-0729, a .LNK RCE vulnerability, which Childs said is similar to the bug that was exploited by the Stuxnet malware. Stuxnet was used to take out Iranian nuclear enrichment facilities in 2012. The new bug can also be used to attack air-gapped “secure” systems, he said, by exploiting shortcut .LNK files.
“Bugs impacting link files (.LNK) never fail to amaze me,” said Childs. “An attacker could use this vulnerability to get code execution by having an affected system process a specially crafted .LNK file. This could be done by convincing a user to open a remote share, or – as has been seen in the past – placing the .LNK file on a USB drive and having the user open it. It’s a handy way to exploit an air-gapped system.”
The other critical bugs fixed by Microsoft in February are CVE-2020-0738, a Media Foundation Memory Corruption Vulnerability allowing RCE; and several Scripting Engine Memory Corruption Vulnerabilities allowing RCE. This latter group includes CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, CVE-2020-0673 and CVE-2020-0767.
As for the important-rated patches, the volume of elevation-of-privilege (EoP) bugs being patched is “somewhat staggering,” ZDI’s Childs noted, with 55 patches in all. Also, information-disclosure bugs are well-represented, with 16 patches in February, including a publicly known bug (CVE-2020-0706) impacting IE and Edge. Childs said that six of them exist in the Cryptography Next Generation (CNG) portion of the Windows Key Isolation service.
Childs also flagged CVE-2020-0688, a memory-corruption bug in Microsoft Exchange, which could be trivially exploited to grant an attacker the ability to create a new account, install programs, and view, change or delete data.
“This code-execution bug in Exchange is only listed as important, but you should treat it as a critical-rated vulnerability,” he said. “An attacker could gain code execution on affected Exchange servers by sending a specially crafted email. No other user interaction is required. The code execution occurs at System-level permissions, so the attacker could completely take control of an Exchange server through a single email.”
Racing Against Exploitation
Microsoft’s February update is the largest in quite some time, researchers said, with flaws disclosed for Windows, Edge (EdgeHTML-based), ChakraCore, Internet Explorer (IE), SQL Server, Exchange Server, Office, Office Services and Web Apps, Azure DevOps Server, Team Foundation Server and the Microsoft Malware Protection Engine.
And, five of the CVEs (including the previously mentioned zero day and the info-disclosure bug affecting browsers) have been publicly disclosed — and thus offer a threat actors a head start on exploitation.
“Overall, this is a very heavy Patch Tuesday on the Microsoft end. The race to patch critical vulnerabilities on your systems within the next 72 hours is on,” Goodman advised. “Attackers will have no shortage of exploitable vulnerabilities and new attack vectors to bring to bear in the coming days with nearly every build of Windows accounted for with critical vulnerabilities.”
Also, for the first time, Microsoft is not updating Windows 7 this month.
“Today is a significant Patch Tuesday, marking the first time there will be no patches for Windows 7,” Rui Lopes, engineering and technical support director at Panda Security, told Threatpost. “However, that doesn’t mean there aren’t vulnerabilities. In fact, today’s release features several critical and zero-day patches to be deployed, so any machines still running Windows 7 are now, by default, exceptionally vulnerable—providing open doors for hackers to walk through and exploit. Therefore, if you have any devices running Windows 7, it is top priority to update them immediately.”
The good news, according to Todd Schell, senior product manager for security at Ivanti, is that most of the CVEs can be resolved by applying just a few Microsoft updates.
“On average, your OS updates will resolve around 50 CVEs,” he explained, via email. “The normal updates still apply. OS, browsers, and Office will resolve most of your vulnerabilities from the Microsoft side. SQL and Exchange Admins do get a bit of extra work this month as both of those products are included in the updates released…[but with] a couple of patches per system you can take the teeth out of the majority of the risk this month.”
One vulnerability worth mentioning in this context this month is CVE-2020-0689, a security feature bypass that was also previously disclosed; an attacker could bypass secure boot and load untrusted software.
Both Childs and Tsang noted that while the vulnerability itself is not that interesting, what stands out is the fact that the remediation steps are different from the usual patching practices.
“Whereas most operating system-level vulnerabilities are bundled in either a Security-Only/Monthly Rollup or Cumulative Update stream, this fix is segregated out in separate KB patches that also have explicit Servicing Stack Update prerequisites,” Tsang said. “The idea that there’s a change in process, in itself, is something to note.”
Childs added, “While this is certainly a bug to scrutinize, it’s compounded by a non-standard patching process. This month’s servicing stack must first be applied, then additional standalone security updates need to be installed. If you have the Windows Defender Credential Guard (Virtual Secure Mode) enabled, you’ll need to go through two additional reboots as well. All this is needed to block impacted third-party bootloaders.”
Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.