Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Security|Windows Client OS|Windows Server

Patch Tuesday – February 2020

This month is a big one for sysadmins patching Microsoft products. So let’s get started.

Windows and Windows Server

Last month, Microsoft published a security advisory for Internet Explorer (IE) outlining a remote code execution (RCE) flaw in the way that IE’s JavaScript engine handles objects in memory. It could be used by an attacker to run arbitrary code in the context of the logged-in user. This month, Microsoft has provided a patch to plug the vulnerability.

To read more about the IE zero-day, check out Microsoft Issues Zero-Day Advisory for Internet Explorer on Petri.

Remote Desktop vulnerabilities

There are several other bugs patched for Windows this month that are rated critical. And as usual, some of them are for Remote Desktop. This month’s patched vulnerabilities for the Remote Desktop Client would require an attacker to trick or persuade a user to connect to a malicious server using DNS poisoning or a man-in-the-middle attack. But if successfully exploited, the attacker could run processes and change data with full user rights.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

CVE-2020-0662 is also an RCE rated critical and it could allow an attacker to run code in the context of the logged-in user. CVE-2020-0738 is another critical RCE in the way Windows Media Foundation handles objects in memory. It could let an attacker perform actions with full user rights.

From the updates rated important, there’s one RCE connected to a flaw in Remote Desktop Services, again allowing an attacker to run code with full user rights on a remote system.

Active Directory TGT delegation update

There’s a patch for an elevation of privilege (EoP) vulnerability (CVE-2020-0665) in Active Directory where a default setting could allow an attacker in a trusting forest to request delegation of a ticket-granting ticket (TGT) for a user account in the trusted forest.

The update makes sure that TGT delegation is disabled by default in new Active Directory deployments. Existing AD forests will not be affected by this update.

Microsoft Office

Microsoft Office 365 ProPlus gets three updates this month rated critical. The first is a security feature bypass flaw in Outlook where the software improperly handles the parsing of a URI. The flaw would be quite hard to exploit and it could only be used to run arbitrary code in combination with another flaw, like an RCE.

The second bug patched is an RCE in the way Excel handles objects in memory. If the flaw were successfully exploited, the attacker could run arbitrary code on the affected system in the context of the currently logged-in user.

The final bug is in the Microsoft Office OLicenseHeartbeat task and it could let an attacker run the task as SYSTEM.

Microsoft Exchange, SharePoint, and SQL Server

Exchange Server gets a fix for an RCE bug rated important. It could allow an authenticated user to pass objects to the web application, which runs as SYSTEM. Microsoft says that this bug is likely to be exploited, so you should get it patched as soon as possible. There’s also an EoP bug fixed for Exchange Server.

There’s a patch for an RCE in SQL Server Reporting Services, where it improperly handles page requests. The bug could let an attacker run code in the context of the Report Server service account.

The third patch is for a spoofing vulnerability in SharePoint Server and it is rated important. The flaw is a cross-site-scripting (XSS) flaw where SharePoint fails to properly sanitize specially crafted web requests. The bug could let an attacker run code in the context of the logged-in user.

Adobe Flash Player

This month sees Adobe address one critical flaw in Flash.

That is it for another month.



Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: