Microsoft’s Patch Tuesday updates for March 2020 address 115 vulnerabilities, including 26 critical issues affecting Windows, Word, Dynamics Business Central, and the company’s web browsers.
Vulnerabilities have been patched in Windows, Edge, Internet Explorer, Exchange Server, Office, Azure DevOps, Windows Defender, Visual Studio, and Dynamics. The majority of the security holes resolved this month affect Windows (79 CVEs) and browsers (18 CVEs).
None of the vulnerabilities patched this month has been exploited in attacks or disclosed publicly before fixes were made available.
Experts from several cybersecurity companies have commented on this month’s patches:
Todd Schell, senior product manager, security, Ivanti:
“Microsoft has released Servicing Stack Updates for most of the Windows OS versions. The only exceptions this month are Windows 10 version 1703, Server 2008, and Windows 72008 R2.
Microsoft has announced a vulnerability for Remote Desktop Connection Manager (CVE-2020-0765), but states they do not plan to release an update to fix the issue. The product has been deprecated. Their guidance is to use caution if you continue to use RDCMan, but recommends moving to supported Remote Desktop clients.
Microsoft has resolved several Information Disclosure vulnerabilities in the Windows OS this month in components such as GDI, Windows Graphics Component, Win32k, Windows Modules Installer Service, Windows Network Driver Interface Specification, and Connected User Experiences and Telemetry Service. These vulnerabilities could allow attackers to read from the file system, uninitialized memory, or even memory contents in kernel space from a user mode process. A couple of them could also allow an attacker to collect information that could allow them to predict addressing of memory.
Microsoft Word Remote Code Execution vulnerability (CVE-2020-0852) could be exploited through the Preview Pane in Outlook making it a more interesting target for threat actors.”
Animesh Jain, vulnerability management research team, Qualys:
“Workstation Patches The Scripting Engine, LNK files (CVE-2020-0684), GDI+(CVE-2020-0831, CVE-2020-0883) and Media Foundation (CVE-2020-0801, CVE-2020-0809, CVE-2020-0807, CVE-2020-0869) patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Microsoft Word RCE A Remote Code Execution vulnerability (CVE-2020-0852) in Microsoft Word is also covered in today’s patch release. An attacker could exploit the vulnerability using a specially crafted file to perform actions on behalf of the logged-in user with the same permissions as the current user.
Application Inspector RCE Microsoft has also fixed a Remote Code Execution vulnerability (CVE-2020-0872) in Application Inspector. This vulnerability can allow an attacker to execute their code on a target system if they can convince a user to run Application Inspector on code that includes a specially crafted third-party component. This patch should be prioritized, despite being labeled as “Important” by Microsoft.
Dynamics Business Central RCE Dynamics Business Central client is affected by a Remote Code Execution vulnerability ( CVE-2020-0905) that could allow attackers to execute arbitrary shell commands on a target system. While this vulnerability is labeled as “Exploitation Less Likely,” considering the target is likely a critical server, this should be prioritized across all Windows servers and workstations.”
Allan Liska, intelligence analyst, Recorded Future:
“We start with CVE-2020-0684, a Remote Code Execution vulnerability that exists in Windows 7 through 10 (remember, if you are still running Windows 7, Microsoft will not release a patch for this unless you have paid for extended support) and Windows Server 2008 through 2019. The vulnerability exists in the way Windows processes .LNK files. In order to exploit this vulnerability an attacker would need to trick a victim into clicking on a .LNK file to a remote share or a removable drive that contained malware.
While Microsoft rates this vulnerability as less likely to exploit, a similar vulnerability from 2017, CVE-2017-8464, is still being actively exploited in the wild, most notably by the BlackSquid exploit kit.
There is an elevation of privilege vulnerability in DirectX for Windows 10 and Windows Server 2016 and 2019. The vulnerability, CVE-2020-0690, exists in the way that DirectX handles objects in memory. An attacker, who already has access to a victim’s system could use this vulnerability to gain administrative access. Microsoft rates this vulnerability as more likely to be exploited and has assigned it a CVSS score of 7. Recorded Future notes that previous DirectX vulnerabilities, such as CVE-2019-1176 and CVE-2018-8554, have not been widely exploited.
Microsoft announced four remote code execution vulnerabilities in Microsoft Word this month. CVE-2020-8050, CVE-2020-8051, CVE-2020-8052, and CVE-2020-8055 are vulnerabilities in the way Microsoft Word handles objects in memory. To exploit these vulnerabilities an attacker would need to send a specially crafted Microsoft Word document via email and convince a victim to click on the email or get the user to visit a website with a trojanized Word document. Of note, CVE-2020-8052 can be exploited just with the Microsoft Outlook Preview Pane, without ever opening the Microsoft Word Document. As Recorded Future has previously noted, Microsoft Office is among the most popular attack vectors for cybercriminals. We expect one or more of these vulnerabilities will be weaponized sooner rather than later.”
Jay Goodman, strategic product marketing, Automox:
“Notable vulnerabilities include CVE-2020-0833, CVE-2020-0824, and CVE-2020-0847. Despite a heavy February Patch Tuesday, March continues the cadence with triple-digit vulnerabilities and even more critical vulnerabilities.
CVE-2020-0833 and CVE-2020-0824 remote code execution vulnerabilities in Internet Explorer. The vulnerabilities could corrupt memory allowing an attacker to execute arbitrary code in the context of the current user. What this means is that an attacker could run malicious code directly on the user’s system. If the user is logged in with administrative rights, those rights would extend to the code.
CVE-2020-0847 is also a remote code execution vulnerability, this time in VBScript. VBscript is a scripting language used by Microsoft. It allows system admins to run powerful scripts and tools for managing endpoints and will give the user complete control over many aspects of the device. This vulnerability is based on a similar corrupt memory exploit that would allow an adversary to execute code. This attack method is common through phishing and compromised websites. An attacker could use a website crafted to exploit the vulnerability through the browser using common phishing techniques like a resume or billing notification to drive users to the compromising site. Vulnerabilities like this are a very common attack vector given the ease of setup for the attacker and the likelihood of success getting users to click links.
Overall, this is yet another heavy patch Tuesday for Microsoft customers. The race to end your vulnerabilities today is on. Attackers will again have plenty of vulnerabilities to choose from when crafting their next attack campaign.
Richard Tsang, senior software engineer, Rapid7:
“Let’s start off talking about CVE-2020-0688 from last month — the Microsoft Exchange Validation Key RCE vulnerability. At the time it was published February 11, 2020, the vulnerability had not seen active exploitation. As of March 9, 2020, there were increasing reports of activity happening on unpatched Exchange Servers surrounding this vulnerability. If you hadn’t had a chance to take action on that, I would give it a bit of love over the whopping 112 new vulnerabilities brought forth by Microsoft this March 2020 Patch Tuesday. It’s worth noting that Metasploit has a module out already to help detect this, as does InsightVM.
The focus on bringing CVE-2020-0688 in line gives a general feel of how this month’s Patch Tuesday is like. While 112 vulnerabilities is not something to just brush aside, especially given a wide breadth of products and components patched up this month, we do get to enjoy the fact that almost all the vulnerabilities can be remediated simply by patching. Our outlier vulnerability this month (when it comes to straight-forward remediations) is CVE-2020-0765. This information disclosure vulnerability against their deprecated Remote Desktop Connection Manager (RDCMan) product has no planned fixes. The best course of action is to find a replacement or adjust processes to avoid a scenario where an attacker is able to read arbitrary files after convincing an authenticated user to open a specially crafted RDG file. As stated (nearly) monthly, good security hygiene will always help mitigate these risks.
With that oddity aside, patching your operating systems immediately closes the door against 78 vulnerabilities. For those that follow the monthly-rollup track of patching systems, it would include browser fixes which brings our remediation count to 96 vulnerabilities. That’s 86% of vulnerabilities published by Microsoft remediated from a “single patch”! From a software remediations perspective, this month may be grounds for celebration by this relatively straight-forward track to follow: patch up CVE-2020-0688 (from last month) if you have Exchange Servers, then patch this month’s operating system patches, then Microsoft Office and SharePoint.”