February 2020 Patch Tuesday has seen Microsoft release patches for 99 vulnerabilities (and one advisory for Adobe Flash), making it one of the largest monthly patch releases in recent months. 12 of the patches correct critical vulnerabilities with the remainder all rated important.
Four patches correct vulnerabilities that have previously been disclosed, one of which – CVE-2020-0674 – is an actively exploited vulnerability affecting Internet Explorer that could allow an attacker to take full control of a vulnerable device.
The memory corruption vulnerability was reported to Microsoft by researchers at Google’s Threat Analysis Group and Qihoo 360. Microsoft issued an advisory in January and urged users to disable jscript.dll to prevent the flaw from being exploited. However, the mitigations caused problems with several programs as well as printer drivers. 0patch released a micropatch that could be applied that avoided these problems. Now Microsoft has patched the flaw.
The flaw concerns the Trident rendering engine used by Internet Explorer. It also affects other programs that rely on Trident. For example, even if Internet Explorer is not installed on a device, the flaw could be exploited through embedded objects in Office documents. The flaw is most likely to be exploited by convincing a user to visit a specially crafted webpage, via a phishing email for example.
The other three vulnerabilities that have been publicly disclosed are the Windows Installer elevation of privileges vulnerabilities CVE-2020-0683 and CVE-2020-0686, and the Microsoft browser information disclosure vulnerability, CVE-2020-0706.
The critical vulnerabilities are:
- Microsoft Scripting Engine memory corruption vulnerabilities: CVE-2020-0674, CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, and CVE-2020-0767.
- Microsoft Windows Remote Desktop Client RCE vulnerability: CVE-2020-0677
- Remote Desktop Client RCE vulnerability: CVE-2020-0734
- Windows Hyper-V denial of service vulnerability: CVE-2020-0662
- Windows Media Foundation memory corruption vulnerability: CVE-2020-0738
- Windows Shell IME elevation of privileges vulnerability: CVE-2020-0729
41 fixes have also been released for the Chromium-based Edge browser. These are in addition to the 99 Patch Tuesday fixes.
Adobe has also issued patches this week to correct vulnerabilities in Adobe Framemaker, Adobe Flash Player, Adobe Reader, Adobe Acrobat, Adobe Digital Editions, and Adobe Experience Manager. In total 41 fixes have been released. Aside from one vulnerability rated moderate and three rated important, all others have been rated critical and correct remote code execution vulnerabilities.