Microsoft released a record number of patches on March Patch Tuesday. 115 vulnerabilities have been patched across the entire product range, including 26 vulnerabilities that have been rated critical and 88 that have been rated important. None of the flaws in the March round of updates are believed to have been exploited in the wild and none have been made public prior to the patches being released.
17 of the critical flaws affect browsers and scripting engines, four critical errors are in Media Foundation, two affect GDI+, and there is one in each of Microsoft Word, LNK files, and Dynamic Business. 12 of the vulnerabilities could lead to remote code execution.
Two of the RCE flaws affect Internet Explorer – CVE-2020-0833, CVE-2020-0824 – but they could only allow execution of arbitrary code if the user is logged in with administrative rights, which limits the potential for exploitation.
There are five remote code execution vulnerabilities in Microsoft Word, four are rated important (CVE-2020-0850, CVE-2020-0851, CVE-2020-0855, and CVE-2020-0892) and one is rated critical (CVE-2020-0852). The critical vulnerability would allow malicious Word documents to be created that could execute code without the documents being opened, such as via the Outlook Preview Pane.
The LNK file vulnerability – CVE-2020-0684 – could be exploited by an attacker to create LNK files that perform code execution, which could be exploited in spam campaigns.
The Application Inspector remote code execution vulnerability, CVE-2020-0872, could be exploited to steal source code of files if a user can be convinced to run Application Inspector on source code that includes a malicious third-party component.
System administrators have been advised to apply the patches as soon as possible after appropriate testing to prevent the vulnerabilities from being exploited.
One interesting absence in this month’s updates is a patch for a recently discovered wormable vulnerability in Windows Server Message Block (SMBv3). The vulnerability, tracked as CVE-2020-0796, is critical and could potentially be exploited in a similar fashion to EternalBlue. Fortinet and Cisco Talos released details about the flaw and a patch was expected, but it has not been released by Microsoft. Cisco Talos has since taken down its post about the flaw, presumably until Microsoft releases the patch. Fortinet described the bug as a maximum severity buffer overflow vulnerability in Microsoft SMB servers. While a summary of the bug has been published, no exploit code has been released, as was the case for the wormable SMBv1 vulnerability that was exploited by WannaCry in 2017.