Post-Patch Tuesday Roundup: March 2020

There’s no let up in the onslaught of updates coming out of Redmond, with March being even bigger than last month. It’s an all-Microsoft blog and there’s some big stuff to cover, so let’s get started…

Microsoft

115 vulnerabilities are fixed in March’s Patch Tuesday drop, with several headline-grabbing fixes being the most prominent.

A predictable Twitter meltdown followed the announcement of CVE-2020-0796, a critical, RCE-enabling, wormable bug in SMB v3 which primarily grabbed the headlines due to its similarity to the EternalBlue bug, the famous enabler of the WannaCry attack back in 2017. The underlying issue is a buffer overflow flaw related to the compression technique used by SMB, resulting in the ability to execute arbitrary code on the victim.

In the wake of WannaCry, the use of SMB across the perimeter was substantially reduced by businesses, both inbound and outbound. This reduces the opportunity for this exploit to be attempted, as an attacker would need to already have a foothold in the network and easier methods exist if you’re a hacker already in that position. However, the same isn’t true for home users and people working outside the office network, and tricking someone into establishing an SMB connection to a server on the internet is a viable approach.

Despite being included as a CVE advisory this Patch Tuesday, there’s currently no patch for this flaw, with Microsoft issuing workaround guidance (disabling SMB v3 compression) instead. Update your Vulnerability Management tools to detect any servers that need the workaround applying.

The next bug is arguably more worrying and certainly more likely to be encountered in the wild. CVE-2020-0852 is a Word flaw which enables the attacker to execute commands in the user’s context. Given the widespread prevalence of laptop and desktop users being the local admin on their device, this presents an opportunity to get some serious access to the local machine, from where the attacker can look to elevate their privileges and move laterally. The most concerning part about this bug is that it can be activated simply by looking at the file in the Outlook Preview Pane, meaning the file doesn’t need to be fully opened in Word for the malicious code to run.

The last one we’ll look at this month is the highest CVE-rated bug of the March release and affects .LNK files. The .LNK extension is used for creating shortcuts and is often used to make links to websites available on the desktop. However, it can point to other file types and in this instance the .LNK is paired with a malicious binary that executes when the .LNK is parsed. By sharing the malicious .LNK with a user the attacker can get the binary to run any code they desire.

Once again, this carries a few assumptions on the part of the attacker: they must somehow get the .LNK file and its paired executable available to the user. This is unlikely to be successful over email, as both .exe’s and .LNK’s tend to be blocked by mail filters by default. This means an attacker will have to be more inventive to get the user to click the shortcut, potentially dropping USB sticks or setting up shared file locations and tempting the user to click through and onto that .LNK. A well-crafted phishing email pointing to a location hosting the files could be widely successful.