Patch Tuesday – February 2020
This month is a big one for sysadmins patching Microsoft products. So let’s get started.
Windows and Windows Server
To read more about the IE zero-day, check out Microsoft Issues Zero-Day Advisory for Internet Explorer on Petri.
Remote Desktop vulnerabilities
There are several other bugs patched for Windows this month that are rated critical. And as usual, some of them are for Remote Desktop. This month’s patched vulnerabilities for the Remote Desktop Client would require an attacker to trick or persuade a user to connect to a malicious server using DNS poisoning or a man-in-the-middle attack. But if successfully exploited, the attacker could run processes and change data with full user rights.
CVE-2020-0662 is also an RCE rated critical and it could allow an attacker to run code in the context of the logged-in user. CVE-2020-0738 is another critical RCE in the way Windows Media Foundation handles objects in memory. It could let an attacker perform actions with full user rights.
From the updates rated important, there’s one RCE connected to a flaw in Remote Desktop Services, again allowing an attacker to run code with full user rights on a remote system.
Active Directory TGT delegation update
There’s a patch for an elevation of privilege (EoP) vulnerability (CVE-2020-0665) in Active Directory where a default setting could allow an attacker in a trusting forest to request delegation of a ticket-granting ticket (TGT) for a user account in the trusted forest.
The update makes sure that TGT delegation is disabled by default in new Active Directory deployments. Existing AD forests will not be affected by this update.
Microsoft Office 365 ProPlus gets three updates this month rated critical. The first is a security feature bypass flaw in Outlook where the software improperly handles the parsing of a URI. The flaw would be quite hard to exploit and it could only be used to run arbitrary code in combination with another flaw, like an RCE.
The second bug patched is an RCE in the way Excel handles objects in memory. If the flaw were successfully exploited, the attacker could run arbitrary code on the affected system in the context of the currently logged-in user.
The final bug is in the Microsoft Office OLicenseHeartbeat task and it could let an attacker run the task as SYSTEM.
Microsoft Exchange, SharePoint, and SQL Server
Exchange Server gets a fix for an RCE bug rated important. It could allow an authenticated user to pass objects to the web application, which runs as SYSTEM. Microsoft says that this bug is likely to be exploited, so you should get it patched as soon as possible. There’s also an EoP bug fixed for Exchange Server.
There’s a patch for an RCE in SQL Server Reporting Services, where it improperly handles page requests. The bug could let an attacker run code in the context of the Report Server service account.
The third patch is for a spoofing vulnerability in SharePoint Server and it is rated important. The flaw is a cross-site-scripting (XSS) flaw where SharePoint fails to properly sanitize specially crafted web requests. The bug could let an attacker run code in the context of the logged-in user.
Adobe Flash Player
This month sees Adobe address one critical flaw in Flash.
That is it for another month.
More in Windows Server
Microsoft Releases Out-Of-Band Patches to Fix Windows AD Authentication Issues
May 20, 2022 | Rabia Noureen
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
Microsoft Confirms May 2022 Patch Tuesday Updates Cause AD Authentication Issues
May 12, 2022 | Rabia Noureen
Microsoft to Disable SMB1 File-Sharing Protocol By Default on Windows 11
Apr 20, 2022 | Rabia Noureen
Microsoft Defender for Endpoint Adds Support for Windows Server 2012 R2 and 2016
Apr 14, 2022 | Rabia Noureen
Microsoft Lets Windows Server Admins Opt-In for Automatic .NET Updates
Apr 13, 2022 | Rabia Noureen
Most popular on petri