Patch Tuesday It’s going to be a busy month for IT administrators as Microsoft, Intel, Adobe, and SAP have teamed up to deliver a bumper crop of security fixes for Patch Tuesday.
Redmond weighs in just under the century mark
Microsoft had one of its largest patch bundles in recent memory, as the Windows giant released fixes for 99 CVE-listed vulnerabilities.
These included CVE-2020-0674, a remote code execution flaw in Internet Explorer’s Trident rendering engine that is already being exploited in the wild. This hole would typically be exploited by a malicious webpage or the like to infect a visiting vulnerable computer.
“Even if you don’t use IE, you could still be affected by this bug though embedded objects in Office documents,” noted Dustin Childs of the Trend Micro Zero Day Initiative.
“Considering the listed workaround – disabling jscript.dll – breaks a fair amount of functionality, you should prioritize the testing and deployment of this patch.”
Four of this month’s other bugs have also been publicly disclosed, though none have been targeted in the wild yet. These include two elevation of privilege bugs in Windows Installer (CVE-2020-0683 and CVE-2020-0686), a security bypass in Secure Boot (CVE-2020-0689), and an information disclosure vulnerability in Edge and IE (CVE-2020-0706.)
Exchange admins will want to pay close attention this month, as Microsoft has posted a fix for CVE-2020-0688, a flaw that allows remote code execution by way of poisoned e-mails.
“An attacker could gain code execution on affected Exchange servers by sending a specially crafted e-mail. No other user interaction is required,” noted Childs. “The code execution occurs at System-level permissions, so the attacker could completely take control of an Exchange server through a single e-mail.”
A remote code execution flaw (CVE-2020-0618) was also addressed in SQL Server’s Reporting Services component.
The browser scripting engine received its usual bundle of patches (CVE-2020-0673, CVE-2020-0767, CVE-2020-0710, CVE-2020-0712, CVE-2020-0713, CVE-2020-0711) for remote code execution bugs that can be exploited by a malicious website.
For Office, patches were doled out for an Excel remote code execution bug (CVE-2020-0759), an Outlook security bypass (CVE-2020-0696), an Office Online spoofing bug (CVE-2020-0695), and Office tampering flaw (CVE-2020-0697), and two cross-site scripting bugs in SharePoint (CVE-2020-0693, CVE-2020-0694.)
Finally, if you’re still using Windows 7 and/or Windows Server 2008 R2 and you haven’t paid Microsoft for extended security support, there’s trouble brewing. There are five critical holes among 42 vulns in the end-of-life operating systems that need fixing. Bear in mind that criminals will already be hard at work reverse engineering the patches, and finding out how to write exploit code for them, so upgrade to a newer platform or start paying coin to Redmond.
Security folks joke at Exploit Wednesday, the day after Patch Tuesday when the latest round of exploit code is deployed, but there’s a grain of truth to this.
Adobe mends hole in the internet’s screen door with Flash fix
This month Adobe is rolling out fixes for two of its most popular widely used offerings: Flash and Acrobat/Reader.
For Flash Player, the patch addresses a single arbitrary code execution flaw, CVE-2020-3757, that would allow arbitrary code execution. Windows, macOS, Linux, and Chrome OS versions of the plug-in will all get the fix.
With Acrobat and Reader, a total of 17 bugs are addressed on Windows and macOS. The most serious will allow for arbitrary code execution, though no exploits have been reported in the wild.
The heaviest patch load was for Adobe Framemaker, where a list of 21 CVE-listed bugs were cleaned up. Arbitrary code execution would be the biggest risk here, with no active exploits reported.
CMSE flaw highlight half-dozen Intel updates
Of the six Intel bulletins, the lone ‘high’ risk classification was for CVE-2019-14598. According to Intel, a flaw related to improper authentication in Converged Security and Manageability Engine (CSME) allows for denial of service or, more importantly, information disclosure and elevation of privilege.
EoP bugs made up the remaining five bulletins. Those included issues in RWC2 and RWC3 as well as the Manycore Platform Software Stack (MPSS). Another EoP issue, in SGX, was considered less of a risk and given a low severity label.
One flaw that will not be getting a fix is CVE-2020-0560. That elevation of privilege error, found in the outdated Renesas Electronics USB 3.0 driver, has prompted Chipzilla to simply discontinue the component and drop support. That’s certainly one way to get rid of buggy software.