Microsoft patches 117 vulnerabilities in March 2020 Patch Tuesday
Of them, 26 are rated as 'critical' bugs
Microsoft has released its March 2020 Patch Tuesday update, addressing a total of 117 security vulnerabilities across various products, including Windows, Office and the Edge web browser.
Of the 117 security flaws fixed by the company, 26 are rated as 'critical', meaning they are easy to exploit by hackers and could enable them to take full control of the target device. One vulnerability fixed in latest security update is "moderate" in severity, while the rest are considered 'important'.
CVE-2020-0684 is a remote code execution (RCE) vulnerability, which is most likely to be exploited by malware developers. This flaw arises when a user opens a specially crafted .LNK file in Windows. According to Microsoft, the malicious .LNK file could be delivered to the user via a removable drive or remote share. A successful attack would enable the hacker to gain the same user rights as the local user.
Of the 117 security flaws fixed by the company, 26 are rated as 'critical'
CVE-2020-0852 is another RCE bug that affects Microsoft Word and could be exploited simply by getting the user to load an email containing a malicious Word file in the Microsoft Outlook preview pane.
Among the other RCE bugs fixed by Microsoft, two bugs (CVE-2020-0833 and CVE-2020-0824) affect Internet Explorer. CVE-2020-0833 is a RCE vulnerability, which exists in the way that the scripting engine handles objects in memory in Internet Explorer.
CVE-2020-0824 is also a RCE vulnerability which exists when Internet Explorer improperly accesses objects in memory. They both could enable attackers to execute malicious code on the target system provided the victim is logged in with administrative rights.
CVE-2020-0801, CVE-2020-0807, CVE-2020-0809 and CVE-2020-0869 are memory corruption bugs existing in Microsoft Media Foundation. If exploited, they could allow a hacker to create new user accounts on the target machine; modify or delete data; and install new programmes.
Some other critical vulnerabilities addressed by Microsoft in its March security update include CVE-2020-0768, CVE-2020-0811, CVE-2020-0812, CVE-2020-0816, and CVE-2020-0830.
Microsoft, by mistake, also leaked some information about a yet-to-be patched vulnerability affecting Server Message Block 3.0 (SMBv3) network communication protocol.
While Microsoft didn't publish any advisory for the vulnerability, many security vendors who received early details as part of Microsoft Active Protections Programme released details on the flaw.
Many experts fear this 'wormable' pre-authentication RCE bug, which is tracked as CVE-2020-0796, could enable hackers to create another EternalBlue-like exploit.
Microsoft, later Tuesday, published a security advisory on this RCE bug.
"To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server," Microsoft warned.
"To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it," it added.