Microsoft tackled 115 bug fixes as part of its March Patch Tuesday update – 26 rated critical and 88 rated medium severity. The bugs patched span its product catalog, from Azure DevOps to Windows 10.
This month’s haul is notable in its quantity and that there are only a few stand-out bugs causing headaches for system administrators. Unlike last month, Microsoft did not report that any of its bugs were publicly known or under attack at the time it released its bulletin.
Within the mix of critical issues, Microsoft tacked three remote code execution vulnerabilities. Two are tied to Internet Explorer (CVE-2020-0833, CVE-2020-0824) and the third (CVE-2020-0847) to the VBscript scripting language used by Microsoft.
As for the two bugs in IE, researchers warned that either one could lead to code execution only if the victim was logged in with administrative rights.
“The vulnerabilities could corrupt memory allowing an attacker to execute arbitrary code in the context of the current user,” wrote Jay Goodman, strategic product marketing at Automox, via email. “What this means is that an attacker could run malicious code directly on the user’s system. If the user is logged in with administrative rights, those rights would extend to the code.”
As for the VBscript bug, the researcher said, if an attacker was successful in commandeering the tool via code execution, it would allow an adversary to have sysadmin-like powers. That would allow them to run scripts and leverage software tools to control connected endpoints. “[It] will give the user complete control over many aspects of the device,” Melick said.
As for the other critical bugs, 17 fixes are tied to Microsoft’s browser and scripting engines, four are for Media Foundation, two are for GDI+ and the remaining three address potentially dangerous LNK files and Microsoft Word and Dynamics Business, points out Animesh Jain with Qualys’ Patch Tuesday team.
Jain also singled out another remote code-execution vulnerability (CVE-2020-0852), this time in Microsoft Word. “An attacker could exploit the vulnerability using a specially crafted file to perform actions on behalf of the logged-in user with the same permissions as the current user,” he noted.
Todd Schell, senior product manager for security at Ivanti, pointed out that the Word issue “could be exploited through the Preview Pane in Outlook, making it a more interesting target for threat actors.”
He also noted that Microsoft announced a vulnerability in its Remote Desktop Connection Manager (CVE-2020-0765) that the software giant said it won’t fix. “They do not plan to release an update to fix the issue,” he said in a prepared statement. “The product has been deprecated. Their guidance is to use caution if you continue to use RDCMan, but recommends moving to supported Remote Desktop clients.”
This month Microsoft offered its usual perfunctory advice:
“Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. Run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack,” it wrote. Besides suggesting to users not to visit untrusted sites or click on suspect links, it recommends, “apply the principle of least privilege to all systems and services.”
Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.