Patch Tuesday – February 2020

This month is a big one for sysadmins patching Microsoft products. So let’s get started.

Windows and Windows Server

Last month, Microsoft published a security advisory for Internet Explorer (IE) outlining a remote code execution (RCE) flaw in the way that IE’s JavaScript engine handles objects in memory. It could be used by an attacker to run arbitrary code in the context of the logged-in user. This month, Microsoft has provided a patch to plug the vulnerability.

To read more about the IE zero-day, check out Microsoft Issues Zero-Day Advisory for Internet Explorer on Petri.

Remote Desktop vulnerabilities

There are several other bugs patched for Windows this month that are rated critical. And as usual, some of them are for Remote Desktop. This month’s patched vulnerabilities for the Remote Desktop Client would require an attacker to trick or persuade a user to connect to a malicious server using DNS poisoning or a man-in-the-middle attack. But if successfully exploited, the attacker could run processes and change data with full user rights.

CVE-2020-0662 is also an RCE rated critical and it could allow an attacker to run code in the context of the logged-in user. CVE-2020-0738 is another critical RCE in the way Windows Media Foundation handles objects in memory. It could let an attacker perform actions with full user rights.

From the updates rated important, there’s one RCE connected to a flaw in Remote Desktop Services, again allowing an attacker to run code with full user rights on a remote system.

Active Directory TGT delegation update

There’s a patch for an elevation of privilege (EoP) vulnerability (CVE-2020-0665) in Active Directory where a default setting could allow an attacker in a trusting forest to request delegation of a ticket-granting ticket (TGT) for a user account in the trusted forest.

The update makes sure that TGT delegation is disabled by default in new Active Directory deployments. Existing AD forests will not be affected by this update.

Microsoft Office

Microsoft Office 365 ProPlus gets three updates this month rated critical. The first is a security feature bypass flaw in Outlook where the software improperly handles the parsing of a URI. The flaw would be quite hard to exploit and it could only be used to run arbitrary code in combination with another flaw, like an RCE.

The second bug patched is an RCE in the way Excel handles objects in memory. If the flaw were successfully exploited, the attacker could run arbitrary code on the affected system in the context of the currently logged-in user.

The final bug is in the Microsoft Office OLicenseHeartbeat task and it could let an attacker run the task as SYSTEM.

Microsoft Exchange, SharePoint, and SQL Server

Exchange Server gets a fix for an RCE bug rated important. It could allow an authenticated user to pass objects to the web application, which runs as SYSTEM. Microsoft says that this bug is likely to be exploited, so you should get it patched as soon as possible. There’s also an EoP bug fixed for Exchange Server.

There’s a patch for an RCE in SQL Server Reporting Services, where it improperly handles page requests. The bug could let an attacker run code in the context of the Report Server service account.

The third patch is for a spoofing vulnerability in SharePoint Server and it is rated important. The flaw is a cross-site-scripting (XSS) flaw where SharePoint fails to properly sanitize specially crafted web requests. The bug could let an attacker run code in the context of the logged-in user.

Adobe Flash Player

This month sees Adobe address one critical flaw in Flash.

That is it for another month.