Patch Tuesday
Naked Security Naked Security

IE zero day and heap of RDP flaws fixed in February Patch Tuesday

Microsoft has finally patched the Internet Explorer (IE) zero-day flaw the company said in January was being used in “limited targeted attacks”.

Weeks after the world first got wind of it, Microsoft has finally patched the Internet Explorer (IE) zero-day flaw the company said in January was being used in “limited targeted attacks”.
The fix is part of the February Patch Tuesday update that features a record 99 security vulnerabilities including 12 marked as ‘critical’ and 87 ‘important’.
The first indication of the IE zero-day, now identified as CVE-2020-0674, appeared when Mozilla fixed a very similar issue in Firefox on 8 January, less than two days after the appearance of version 72.
The attacks were reported to Mozilla by a third party which, in a later deleted reference, mentioned that the same issue also affected IE. On 17 January, Microsoft issued its own alert regarding the Scripting Engine memory corruption flaw, citing IE’s Enhanced Security Configuration protection as mitigation against attacks.
This matters because IE code is buried inside Windows 10, which means it presents a risk even to those not using it. In the last year, IE has had other similar troubles, including CVE-2019-1367, a zero-day in September, and a proof-of-concept vulnerability reported in April.
And that’s not all – CVE-2020-0673, CVE-2020-0674, CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, and CVE-2020-0767 are all Scripting Engine memory corruption issues connected to Edge and IE browsers.

A lot of holes

Another running theme in recent times has been Microsoft fixing the holes that keep appearing in its Remote Desktop Protocol (RDP) client, which has become one of the first doors cybercriminals try when trying to get inside a network.
Sure enough, this month brings CVE-2020-0734 and CVE-2020-0681, both critical flaws which could be exploited in a number of ways, including convincing users to connect to servers under their control. A third, CVE-2020-0660, is a denial-of-service flaw marked important, while the fourth, CVE-2020-0655, affects the Remote Desktop Service.
February also sees another critical .LNK shortcut flaw fixed, CVE-2020-0729. Microsoft says:

The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive (or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker’s choice, on the target system.

This basic flaw covers the same ground as CVE-2019-1280 from last September, not to mention the Stuxnet malware’s exploitation of CVE-2010-2568 in 2010.
Another critical is CVE-2020-0738 – a memory corruption flaw in Windows Media Foundation, while CVE-2020-0689, marked important, could offer attackers a way around Microsoft Secure Boot.

Flash!

Adobe’s February update features 42 CVEs, including 21 criticals in Framemaker alone. Acrobat and Reader, meanwhile, feature 17, including 12 rated critical. There’s even one critical fix, CVE-2020-3757, for Flash Player.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.