Tim Lovegrove
Security Analyst
Like clockwork, Patch Tuesday rolls around again. Unlike January there’s no sign the sky is falling this month, but it’s a busy one and there’s lots to dig into. Let’s get started…
Microsoft
Depending on where you look it’s either 99 or 100 vulnerabilities being fixed by this month’s release from Microsoft, 12 of which are rated Critical, with one being actively exploited in the wild. This last one is a flaw in Internet Explorer’s scripting engine (CVE-2020-0674), which an attacker can exploit with a malicious web page. It also affects embedded objects in Office, and the patch negates the workaround of disabling scripting components in the OS.
Remote Desktop services also get a couple of vulnerabilities fixed (CVE-2020-0681, CVE-2020-0734), and there’s a notable Secure Boot bypass issue (CVE-2020-0689). There’s precious little detail available on this last one at present, there’s no known exploits for it yet, but it’s rated High with a CVSS score of 8.2.
More unusually, SQL gets a patch for a critical bug (CVE-2020-0618). This interesting vulnerability exists in the Reporting Services part of SQL and allows an attacker to execute code in the context of the underlying service account. While this particular account doesn’t require elevated permissions in a Windows domain, it’ll have local system privileges and it’s a common misconfiguration to assume service accounts need Domain Admins rights. Similarly, service accounts are often re-used, meaning the Report Server service account could have been granted a higher level of permission than it needs. Worth checking out what those accounts are doing in case no-one knows how they’re set up.
Also popping up is Exchange, with an Important fix for a buffer overflow vulnerability which enables remote code execution. This vuln (CVE-2020-068) can be exploited simply by sending a crafted email through a vulnerable Exchange server, and affects versions from 2013 CU23, 2016 CU14 through to 2019 CU3.
The long slow goodbye to Server 2008 and Windows 7 continues, with Microsoft dropping a fix for a Win7 patch released in January’s Patch Tuesday, and a subsequent fix for that patch to address a boot issue it caused for some machines. Certainly not smooth sailing and Microsoft will no doubt be forced to drop occasional patches for both Win7 and Server 2008 for a while to come.
Adobe
After a few quiet months, Flash gets an update for a single critical vulnerability which enables arbitrary code execution in the user’s context. While it may be tempting to think that users shouldn’t be admins, limiting the risk, it’s worth remembering that the default configuration of Windows on laptops sets the user as a local admin, giving an attacker much greater ability to gain a foothold.
Flash is slowly closing in on its end-of-life date, 31st December 2020. Never say never, but we might finally get to drop it off the blog in less than a year’s time!
Lastly, Acrobat and Reader get a fairly substantial update, with 17 vulnerabilities fixed. Several of these are rated as Critical, with a mix of Arbitrary Code Execution and memory-related leaks and buffer errors.
Get In Touch
If you'd like any advice on the patches mentioned above, or any we haven't mentioned here, please get in touch with your Softcat Account Manager, or using the button below.