Microsoft has issued one of the biggest security updates of recent years with a Patch Tuesday that fixes 115 unique CVEs, including 26 critical flaws.
The majority of these are found in Windows (79 CVEs) and Edge/IE (18). Experts agreed that sysadmins should prioritize CVE-2020-0684, a Remote Code Execution (RCE) vulnerability affecting versions Windows 7 to 10 and Windows Server 2008 to 2019.
The bug exists in the way Windows processes .LNK files, and to exploit it, an attacker would need to trick a victim into clicking on a .LNK file to a removable drive or remote share containing malware.
Microsoft also announced four RCE flaws in the way Word handles objects in memory: CVE-2020-8050, CVE-2020-8051, CVE-2020-8052 and CVE-2020-8055.
“To exploit these vulnerabilities an attacker would need to send a specially crafted Microsoft Word document via email and convince a victim to click on the email or get the user to visit a website with a trojanized Word document,” explained Allan Liska, senior solutions architect at Recorded Future.
“Of note, CVE-2020-8052 can be exploited just with the Microsoft Outlook Preview Pane, without ever opening the Microsoft Word Document. As Recorded Future has previously noted, Microsoft Office is among the most popular attack vectors for cyber-criminals. We expect one or more of these vulnerabilities will be weaponized sooner rather than later.”
Satnam Narang, principal research engineer at Tenable, picked out three elevation of privilege vulnerabilities as worthy of attention. CVE-2020-0788, CVE-2020-0877 and CVE-2020-0887 affect Win32k due to improper handling of objects in memory and could be used by hackers to execute code on targeted systems post-compromise, he explained.
Also this month, Microsoft appears to have leaked details of a wormable vulnerability in the Server Message Block 3.0 (SMBv3) network communication protocol, for which there is no fix.
No advisory was published, but several security vendors that are part of the Microsoft Active Protections Program have released details on the flaw, CVE-2020-0796.
Although no exploit details are currently circulating online, there will be concerns over the publication of the CVE, especially as SMB was the protocol leveraged to devastating effect by the WannaCry ransomware worm.
“This indicates an attack attempt to exploit a Buffer Overflow Vulnerability in Microsoft SMB Servers,” read a description of the CVE from Fortinet.
“The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet. A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application.”