Patch Tuesday – March 2020

This month sees a bumper crop of fixes from Microsoft; the biggest in the company’s history.

Windows and Windows Server

This month there are patches for 7 ‘Critical’ remote code execution (RCE) bugs for Windows 10, Windows Server 2016, and 2019. CVE-2020-0684 could allow an attacker to gain the same rights as the logged-in user when a .LNK file is parsed. That means that a user doesn’t need to open the .LNK file. When File Explorer or other application parses any removable drive or share containing an infected .LNK file, an attacker could run malicious code of their choice on the target system.

A memory corruption vulnerability in Windows Media Foundation (CVE-2020-0809) could let an attacker create new accounts with full user rights. Users would need to open a specially crafted document to allow the attacker to exploit the bug. A vulnerability (CVE-2020-0881) in the way the Windows Graphics Device Interface (GDI) handles objects in memory could let an attacker take control of the affected system. Including creating new accounts with full user rights. Users without administrative rights would be less impacted by this bug.

Internet Explorer 11 and EdgeHTML get a series of fixes for RCE flaws rated Critical. Most of the remaining bugs, rated Important, are elevation of privilege (EoP) flaws. Although there is one fix for Microsoft IIS Server that plugs a tampering issue when IIS improperly handles malformed request headers.

SMBv3 compression security advisory

Microsoft issued a security advisory (ADV200005) rated Critical. Microsoft says that it is aware of an RCE bug in Server Message Block 3.1.1. An attacker could exploit the way SMBv3 handles requests to run code on a target SMB Server or SMB Client.

To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.

The flaw hasn’t been publicly exploited or disclosed but Microsoft says SMB Servers can be protected by disabling SMBv3 compression. The workaround doesn’t protect SMBv3 Clients. For more information on the workaround, see Microsoft’s advisory here.

Microsoft Office

Office 365 ProPlus gets patches for an RCE flaw in Microsoft Word. A memory vulnerability could let an attacker use a specially crafted file to perform actions in the context of the currently logged-in user. The Microsoft Outlook Preview Pane is an attack vector for the vulnerability.

Microsoft Exchange, SharePoint, and SQL Server

Exchange Server 2016 and 2019 get a patch for a spoofing flaw (CVE-2020-0903) that is rated Important. It is a cross-site-scripting vulnerability where Exchange doesn’t properly sanitize specially crafted web requests to affected servers. An attacker could use the flaw to run a script in the context of the currently logged-in user.

SharePoint Server 2016 and 2019 both get fixes for the same bugs that affect Microsoft Word (CVE-2020-0850 and CVE-2020-0852). Both bugs are RCEs. One rated Critical and the other Important.

There are no patches for Microsoft SQL Server this month.

Adobe software

Flash Player got an update yesterday. Bringing Flash to version 32.0.0.344, Adobe said that it includes important bug fixes. But Adobe didn’t provide information on any security fixes.

That is it for another month!