While January 2020’s “Patch Tuesday” release from Microsoft wasn’t large in size, it had a few “high profile” vulnerabilities that demanded immediate attention. February is a different story. At the time the patches were released, Microsoft reported only one of the vulnerabilities had an active exploit against it. There are a whopping 99 individual vulnerabilities fixed across operating systems and their components, browsers, Microsoft Office Suite (including SharePoint), Microsoft Exchange, and SQL Reporting Services.
While most are listed as “Important” or below, there are five “Critical” operating system and seven “Critical” browser vulnerabilities. There are another 87 vulnerabilities across multiple products listed as “Important.”
Critical operating system vulnerabilities
CVE-2020-0681 and CVE-2020-0734 are similar in that they both affect Remote Desktop client. In both cases, a bad actor would have to trick a user into connecting to a compromised Remote Desktop server in control of the bad actor. This vulnerability affects all Remote Desktop clients on Windows 7 through the current release of Windows 10 and all Server versions (including Core). Microsoft labeled these vulnerabilities as “Exploitation More Likely,” as it has with many Remote Desktop vulnerabilities in the past.
CVE-2020-0662 is a Remote Code Execution vulnerability marked by Microsoft as “Exploitation Less Likely.” To take advantage, a domain user would have to specially craft a request to elevate privilege on the target system. This affects all versions of Windows from Windows 7 up to the current release of Windows 10, as well as all Server versions (including Core).
CVE-2020-0738 is a Remote Code Execution vulnerability in Windows Media Foundation that would require a user to click on a malicious file or visit a malicious website. It’s listed as “Exploitation Less Likely,” and, like the others in this list, affects all versions of Windows Workstation and Server operating systems.
CVE-2020-0729 is also a Remote Code Execution vulnerability that would require a user to click on a .LNK file. This would result in elevation of privilege for the attacker to the level of the user that clicked on it. This one also affects all versions of Windows workstation and Server.
Critical browser vulnerabilities
First up is the fix for the vulnerability that was reported on January 17, which was expected this Patch Tuesday. CVE-2020-0674 is a zero-day vulnerability in Internet Explorer reported by Microsoft as “Exploitation Detected” in their release notes, which means it’s under active attack. You should note that older versions of IE 9 and 10 are also listed as affected. Another vulnerability in the browser’s scripting engine, CVE-2020-0673, lists a similar description to the above, but it’s listed as “Exploitation More Likely.” This means while there is no active exploit, one may show up soon after this disclosure.
The remainder of the Critical browser vulnerabilities are in Microsoft Edge (the Edge HTML version) and affect varying operating systems. They’re all listed as “Exploitation Less Likely.”
A reminder that now that Edge browser is based on the Chromium browser, you’ll see advisories much like ADV200002 for vulnerabilities fixed in that version of the browser.
Microsoft Exchange Server (2010, 2013, 2016, and 2019) has two vulnerability fixes for CVE-2020-0688, and CVE-2020-0692. The first is a vulnerability that would require an attacker to send a specially crafted email to the Exchange Server and would give the attacker the ability to execute code in System context. The second one would allow an attacker to impersonate another user by submitting a manipulated user token to Exchange Web Services.
Microsoft Office suite has many vulnerabilities listed as “Important.” These include most all versions of Outlook, Excel 2010-2016, and SharePoint 2013, 2016, and 2019.
Finally, there is one vulnerability in SQL Reporting services listed as “Exploitation Less Likely.”
So, from a prioritization standpoint, we know from Microsoft’s report that browsers are an area of attention this month. If you need to prioritize one area over another, focus first on workstations that browse the internet. Then focus on the server operating systems for the Remote Desktop Client vulnerabilities. Then focus on Office, Exchange servers, and SQL reporting services.
Microsoft publishes a release note summary on Patch Tuesday, and in there you can find known issues at the end of the document. After reviewing, almost all the issues revolve around permission issues when performing a rename action on a Cluster Shared Volume without administrative privileges. Please read the notes and known issues if you have any concerns.
As a note, most all of Microsoft’s updates are now cumulative. This means that installing the Cumulative Update for that operating system will handle most of the vulnerabilities outside of Office and other applications. On older operating systems such as Server 2012 and Windows 8.1, there is generally a Security Only update or a Monthly Rollup. It’s up to you which one of those you choose to approve, but in most cases, the Security Update can be smaller. If you’re current on your updates from month to month, Security Updates can be quicker to install. If you’re behind on your updates, it’s always a good idea to install the Monthly Rollup to get current in one shot.
On a final note, remember that Windows 7 updates will only apply if you have an Extended Security Update contract with Microsoft. This month, 47 of the vulnerabilities applied to Windows 7 operating system alone. If this is any indication of “the way things will be,” it’s a good idea to either consider purchasing Extended Security Updates or go ahead and plan to upgrade to a supported operating system soon. Each month may take you further away from a secure state.
Let’s stay safe out there!
Gill Langston is head security nerd for SolarWinds MSP. You can follow Gill on Twitter at @cybersec_nerd