Patch Tuesday – February 2020
This month is a big one for sysadmins patching Microsoft products. So let’s get started.
Windows and Windows Server
To read more about the IE zero-day, check out Microsoft Issues Zero-Day Advisory for Internet Explorer on Petri.
Remote Desktop vulnerabilities
There are several other bugs patched for Windows this month that are rated critical. And as usual, some of them are for Remote Desktop. This month’s patched vulnerabilities for the Remote Desktop Client would require an attacker to trick or persuade a user to connect to a malicious server using DNS poisoning or a man-in-the-middle attack. But if successfully exploited, the attacker could run processes and change data with full user rights.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
CVE-2020-0662 is also an RCE rated critical and it could allow an attacker to run code in the context of the logged-in user. CVE-2020-0738 is another critical RCE in the way Windows Media Foundation handles objects in memory. It could let an attacker perform actions with full user rights.
From the updates rated important, there’s one RCE connected to a flaw in Remote Desktop Services, again allowing an attacker to run code with full user rights on a remote system.
Active Directory TGT delegation update
There’s a patch for an elevation of privilege (EoP) vulnerability (CVE-2020-0665) in Active Directory where a default setting could allow an attacker in a trusting forest to request delegation of a ticket-granting ticket (TGT) for a user account in the trusted forest.
The update makes sure that TGT delegation is disabled by default in new Active Directory deployments. Existing AD forests will not be affected by this update.
Microsoft Office 365 ProPlus gets three updates this month rated critical. The first is a security feature bypass flaw in Outlook where the software improperly handles the parsing of a URI. The flaw would be quite hard to exploit and it could only be used to run arbitrary code in combination with another flaw, like an RCE.
The second bug patched is an RCE in the way Excel handles objects in memory. If the flaw were successfully exploited, the attacker could run arbitrary code on the affected system in the context of the currently logged-in user.
The final bug is in the Microsoft Office OLicenseHeartbeat task and it could let an attacker run the task as SYSTEM.
Microsoft Exchange, SharePoint, and SQL Server
Exchange Server gets a fix for an RCE bug rated important. It could allow an authenticated user to pass objects to the web application, which runs as SYSTEM. Microsoft says that this bug is likely to be exploited, so you should get it patched as soon as possible. There’s also an EoP bug fixed for Exchange Server.
There’s a patch for an RCE in SQL Server Reporting Services, where it improperly handles page requests. The bug could let an attacker run code in the context of the Report Server service account.
The third patch is for a spoofing vulnerability in SharePoint Server and it is rated important. The flaw is a cross-site-scripting (XSS) flaw where SharePoint fails to properly sanitize specially crafted web requests. The bug could let an attacker run code in the context of the logged-in user.
Adobe Flash Player
This month sees Adobe address one critical flaw in Flash.
That is it for another month.