March 2020 Patch Tuesday – 115 Vulns, 26 Critical, Microsoft Word and Workstation Patches
This month’s Microsoft Patch Tuesday addresses 115 vulnerabilities with 26 of them labeled as Critical. Of the 26 Critical vulns, 17 are for browser and scripting engines, 4 are for Media Foundation, 2 are for GDI+ and the remaining 3 are for LNK files, Microsoft Word and Dynamics Business. Microsoft also issued a patch for an RCE in Microsoft Word. Adobe has not posted any patches for Patch Tuesday.
On the basis of volume and severity this Patch Tuesday is heavy in weight.
Workstation Patches
The Scripting Engine, LNK files (CVE-2020-0684), GDI+(CVE-2020-0831, CVE-2020-0883) and Media Foundation (CVE-2020-0801, CVE-2020-0809, CVE-2020-0807, CVE-2020-0869) patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Microsoft Word RCE
A Remote Code Execution vulnerability (CVE-2020-0852) in Microsoft Word is also covered in today’s patch release. An attacker could exploit the vulnerability using a specially crafted file to perform actions on behalf of the logged-in user with the same permissions as the current user.
Application Inspector RCE
Microsoft has also fixed a Remote Code Execution vulnerability (CVE-2020-0872) in Application Inspector. This vulnerability can allow an attacker to execute their code on a target system if they can convince a user to run Application Inspector on code that includes a specially crafted third-party component. This patch should be prioritized, despite being labeled as “Important” by Microsoft.
Dynamics Business Central RCE
Dynamics Business Central client is affected by a Remote Code Execution vulnerability ( CVE-2020-0905) that could allow attackers to execute arbitrary shell commands on a target system. While this vulnerability is labeled as “Exploitation Less Likely,” considering the target is likely a critical server, this should be prioritized across all Windows servers and workstations.
There are no Adobe patches released for this Month’s Patch Tuesday.
- NSA Announces Sandworm Actors Exploiting Exim MTA Vulnerability (CVE-2019-10149)
- Automatically Discover, Prioritize and Remediate Windows Adobe Type Manager Library Remote Code Execution Vulnerability (ADV200006) using Qualys VMDR
- Microsoft Released Out-of-Band Advisory – Windows Adobe Type Manager Library Remote Code Execution Vulnerability (ADV200006)
*** This is a Security Bloggers Network syndicated blog from The Laws of Vulnerabilities – Qualys Blog authored by Animesh Jain. Read the original post at: https://blog.qualys.com/laws-of-vulnerabilities/2020/03/10/march-2020-patch-tuesday-115-vulns-26-critical-microsoft-word-and-workstation-patches