It has been reported that Microsoft has released its February 2020 Patch Tuesday security updates. This month’s updates include fixes for a whopping 99 vulnerabilities, making this Microsoft’s biggest Patch Tuesday known to date. The highlight of this month’s security train represents the fix for CVE-2020-0674, a zero-day vulnerability in Internet Explorer.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
This month’s Patch Tuesday release contains updates for a staggering 99 CVEs, 12 of which are rated as critical. This is one of the largest Patch Tuesday releases we’ve seen in recent times. Microsoft released a patch for CVE-2020-0674, a memory corruption vulnerability in Internet Explorer that Microsoft issued an advisory for in January, cautioning that the flaw had been exploited in the wild. At the time, Microsoft only provided mitigation instructions and did not release an out-of-band patch. Details about the in-the-wild exploitation of the flaw are still not known, but it is important for organizations to apply these patches as soon as possible.
Additionally, multiple vulnerabilities in Remote Desktop were patched, including two remote code execution vulnerabilities that are likely to be exploited, according to Microsoft. These flaws, identified as CVE-2020-0681 and CVE-2020-0734, exist in Remote Desktop Client. Exploitation of these requires an attacker to either persuade their victim into connecting to a vulnerable Remote Desktop Server operated by the attacker, or plant malicious code on a compromised Remote Desktop Server and wait for the vulnerable user to connect to it.
Microsoft also patched CVE-2020-0688, a memory corruption vulnerability in Microsoft Exchange. To exploit this vulnerability, an attacker would need to send a specially crafted email to a vulnerable Exchange server. Exploitation of the flaw would lead to arbitrary code execution in the context of the System user, granting an attacker the ability to create a new account, install programs, and view, change or delete data.