icetray - Fotolia
February Patch Tuesday resolves IE zero-day
Microsoft released security updates for 99 unique vulnerabilities, including an Internet Explorer flaw the company had notified customers about last month.
Microsoft resolved an Internet Explorer zero-day and multiple publicly disclosed bugs among the 99 vulnerabilities it addressed on February Patch Tuesday.
In addition to the IE zero-day, Microsoft shared information about four other publicly disclosed vulnerabilities on February Patch Tuesday. Administrators will want to speed up their patching process with systems affected by these previously disclosed threats.
"There is enough information out there where threat actors could reverse engineer them pretty quickly," said Chris Goettl, director of product management and security at Ivanti, a security and IT management vendor based in South Jordan, Utah.
Twelve CVEs this month are rated critical. In addition to Internet Explorer, other Microsoft products patched this month include the Windows operating system, ChakraCore, Exchange Server, SQL Server, Microsoft Office, Windows Malicious Software Removal Tool, Windows Surface Hub and the Microsoft Edge browser. Microsoft's release notes indicate both Edge browsers -- the original HTML-based one and the new Chromium-based one -- have corrections available for February Patch Tuesday.
The number of CVEs this month is the highest amount in recent memory since August 2019 when Microsoft corrected 93 unique CVEs.
Goettl noted that, aside from security updates for Exchange Server and SQL Server, the sheer number of CVEs in February Patch Tuesday shouldn't worry administrators because a significant portion of them involve the same products that get the most patches: Windows OS, web browsers and Microsoft Office.
"There's not a significantly higher number of updates this month compared to previous months. The good news for the operations side of the house is whether it's 15 CVEs or 99 CVEs, you know you're probably going to have the same lineup of updates on any given month," he said.
Microsoft addresses Internet Explorer zero-day
On Jan. 17, Microsoft issued a security advisory (ADV200001) for the Internet Explorer zero-day (CVE-2020-0674) but, because no patch was available, the company provided steps to mitigate potential damage by instructing administrators to restrict access to the JavaScript dynamic link library.
"That's a pretty drastic restriction. Anything that requires jscript.dll in the browser would have been inoperable," Goettl said.
The bug, which affects Windows server and client operating systems, is a remote-code execution vulnerability related to how the Internet Explorer scripting engine handles objects in memory. The vulnerability is rated critical only for client OSes due to the built-in protections on Windows Server that limit exposure to attacks originating from Internet Explorer.
An attacker who uses the IE zero-day exploit, either through a specially crafted website or a Microsoft Office document, could gain system access and pick up the same user rights as the current user. If the affected user is an administrator, the attacker could take full control to perform a variety of tasks, including viewing data or creating a new account with full user rights.
Microsoft released security updates to address the other previously disclosed vulnerabilities:
CVE-2020-0683 and CVE-2020-0686: These are elevation-of-privilege vulnerabilities rated important for Windows operating systems related to a flaw in the Windows Installer that could let an attack evade access restrictions to add or remove files.
CVE-2020-0689: This vulnerability, rated important for Windows systems, could let an attacker evade secure boot and run malicious code. The security update prevents the operation of third-party bootloaders.
CVE-2020-0706: This information disclosure vulnerability affects both Internet Explorer and the Microsoft Edge browser (HTML-based version), but requires the affected user to click on a link that leads to a malicious site.
Fixes for Exchange Server and SQL Server released
Microsoft released two fixes for Exchange Server rated important that the company marked with "Exploitation More Likely."
CVE-2020-0688 is a remote-code execution vulnerability related to the platform mishandling objects in memory that an attacker could exploit without any user interaction by sending a specially crafted email to the server. Without the patch, the Exchange Server could be overtaken and allow the attacker to run a variety of tasks, including install programs and delete data.
CVE-2020-0692 is an elevation-of-privilege vulnerability that, if exploited, would give the attacker the same rights as any user of the Exchange Server and risk the exposure of mailbox contents. The update changes how Exchange Web Services handles security access tokens to prevent this threat.
For SQL Server, CVE-2020-0618 is a remote-code execution vulnerability rated important related to the platform's reporting services feature that, if exploited, would let an attacker execute code in the context the service account.
Microsoft dangles fixes for unsupported Windows systems
Windows 7 and Windows Server 2008 and 2008 R2 left extended support last month but, in a curious turn of events, Microsoft continues to publicize the availability of patches for those systems this month -- but only for Extended Security Update subscribers.
"You can look, but you can't touch," Goettl said.
Users who go to the Microsoft Security Update portal can select Windows 7, Windows Server 2008 and Windows Server 2008 R2 systems to see the CVEs affecting those systems. For February Patch Tuesday, the number for each OS eclipses 40.
"I've been dealing with these extended support situations all the way back to Windows NT4. This is the first time where it's been like this," Goettl said. "Nobody -- nobody -- ever saw anything about these CVEs unless they had subscribed, and even then you had to log into your MSDN or a TechNet account to even see any of the details."