Microsoft has fixed almost a century of CVEs this month, although experts suggest the workload shouldn’t be too hard on admins.
The 99 vulnerabilities fixed this month feature 12 critical CVEs, including one zero-day, and another four that have been publicly disclosed and so will also need to be prioritized.
The zero-day being exploited in the wild is CVE-2020-0674, a remote code execution flaw in the way the scripting engine handles objects in memory in Internet Explorer. By hosting a specially crafted website designed to exploit the bug, a hacker could gain the same rights as the current user.
Other noteworthy critical bugs include CVE-2020-0729 a remote code execution vulnerability in the way Microsoft processes LNK files.
“Microsoft considers exploitation of the vulnerability unlikely, however, a similar vulnerability discovered last year, CVE-2019-1280, was being actively exploited by the Astaroth trojan as recently as September,” explained Recorded Future senior solutions architect, Allan Liska.
He also highlighted CVE-2020-0662, an RCE vulnerability that could allow any user with a domain account to execute arbitrary code on a victim’s machine at elevated privileges, using a specially crafted packet.
It affects the now-unsupported Windows 7 and Server 2008, as well as later versions.
Todd Schell, senior product manager at Ivanti, argued that despite the sizeable patch load, updating operating systems or browsers “can take the teeth out of the majority of risks this month.”
“The really good news in all of this is 99 CVEs really doesn’t mean a whole lot of extra work for admins this month,” he added.
“The normal updates still apply. OS, browsers, and Office will resolve most of your vulnerabilities from the Microsoft side. SQL and Exchange admins do get a bit of extra work this month as both of those products are included in the updates released.”
Meanwhile, Adobe resolved 17 CVEs for Adobe Reader and Acrobat (APSB20-05), including 12 critical ones, and one critical CVE for Flash Player (APSB20-06).