The March 2020 Security Update Review
March 10, 2020 | Dustin ChildsMarch is upon us, and it brings a bumper crop of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.
Adobe Patches for March 2020
For March, Adobe ended up releasing their security updates on March 17 – a week later than normal. The release consists of six bulletins addressing 41 unique CVEs in Adobe Acrobat and Reader, Photoshop, ColdFusion, Bridge, Experience Manager, and the Adobe Genuine Integrity Service. A total of 15 of these CVEs came through the ZDI program.
The update for Acrobat and Reader fixes nine Critical- and four Important-rated bugs. The worst of these would allow an attacker to execute code on the target system at the level of the logged-on user. The Photoshop patch fixes 16 Critical- and six Important-rated vulnerabilities, the worst of which could allow code execution if a user opened a specially crafted file. The ColdFusion patch corrects two Critical-rated bugs. The worst of these could allow code execution of files located in the webroot or one of its subdirectories. The update for Bridge fixes two Critical-rated bugs – an Out-of-Bounds (OOB) Write and a heap-based buffer overflow.
Both the Experience Manager and Genuine Integrity Service updates are rated Important. The Experience Manager patch fixes a few info disclosure bugs while the Genuine Integrity Service patch fixes a privilege escalation. None of the bugs are listed as publicly known or under active attack at the time of release.
Microsoft Patches for March 2020
For March, Microsoft released patches for a massive 115 CVEs covering Microsoft Windows, Edge (EdgeHTML-based and Chromium-based), ChakraCore, Internet Explorer (IE), Exchange Server, Office and Office Services and Web Apps, Azure DevOps, Windows Defender, Visual Studio, and Open Source Software. Of these 115, 26 are listed as Critical, 88 are listed as Important, and one is listed as Moderate in severity. Seven of these vulnerabilities were reported through the ZDI program. None of the bugs being patched are listed as being publicly known or under active attack at the time of release. The first quarter of 2020 has certainly been a busy one for Microsoft patches. Including today’s patches, there have been 265 patches in the first quarter. It will be interesting to see if this pace continues throughout the year.
Let’s take a closer look at some of the more interesting updates for this month, starting with a bug sure to be a hit with malware authors:
Update: Post patch Tuesday, Microsoft released the following CVE out-of-band:
- CVE-2020-0796 – Windows SMBv3 Client/Server Remote Code Execution Vulnerability
This bug - released on the Thursday after patch Tuesday - would allow remote code execution via a vulnerability found in SMBv3 compression. This bug is wormable between SMBv3 servers, but not SMBv3 clients. You can disable SMBv3 compression as a workaround, and this can be done through PowerShell and without a reboot. If you are able, you should also block TCP port 445 at your perimeter. This bug isn’t known to be under active exploit as of now, but similar bugs were used in WannaCry and EternalBlue. Definitely test and apply this patch as soon as possible.
- CVE-2020-0852 – Microsoft Word Remote Code Execution Vulnerability
Most code execution bugs in Office products require a user to open a specially crafted file and are thus Important in severity. This Critical-rated Word bug requires no such user interaction. Instead, simply viewing a specially crafted file in the Preview Pane could allow code execution at the level of the logged-on user. Emailing malicious documents is a common tactic for malware and ransomware authors. Having a bug that doesn’t require tricking someone into opening a file will be enticing to them.
- CVE-2020-0905 – Dynamics Business Central Remote Code Execution Vulnerability
This bug in the business management solution could allow attackers to execute arbitrary shell commands on a target system. Exploitation of this Critical-rated bug won’t be straightforward, as an authenticated attacker would need to convince the target into connecting to a malicious Dynamics Business Central client or elevate permission to System to perform the code execution. Still, considering the target is likely a mission-critical server, you should test and deploy this patch quickly.
- CVE-2020-0684 – LNK Remote Code Execution Vulnerability
If this looks familiar, it could be because Microsoft released a nearly identical patch for LNK last month (CVE-2020-0729). Back-to-back patches is an indicator of a failed patch, but the lower CVE number for this month’s bug makes me think this is not the case here. Regardless, an attacker could use this vulnerability to get code execution by having an affected system process a specially crafted .LNK file, so leave those sketchy USB drives you found in the parking lot alone.
- CVE-2020-0872 – Remote Code Execution Vulnerability in Application Inspector
This bug could allow an attacker to execute their code on a target system if they can convince a user to run Application Inspector on code that includes a specially crafted third-party component. Although Microsoft doesn’t list this as being publicly known at the time of release, it appears this was actually fixed in version 1.0.24, which released back in January. It’s not clear why it’s being included in this month’s patch release, but if you use Application Inspector, definitely go grab the new version.
Here’s the full list of CVEs released by Microsoft for March 2020.
CVE | Title | Severity | Public | Exploited | XI - Latest | XI - Older | Impact |
CVE-2020-0852 | Microsoft Word Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0905 | Dynamics Business Central Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0684 | LNK Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0811 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A | RCE |
CVE-2020-0812 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A | RCE |
CVE-2020-0881 | GDI+ Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0883 | GDI+ Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0801 | Media Foundation Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0807 | Media Foundation Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0809 | Media Foundation Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0869 | Media Foundation Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0768 | Microsoft Browser Memory Corruption Vulnerability | Critical | No | No | 2 | N/A | RCE |
CVE-2020-0830 | Microsoft Browser Memory Corruption Vulnerability | Critical | No | No | 2 | N/A | RCE |
CVE-2020-0816 | Microsoft Edge Memory Corruption Vulnerability | Critical | No | No | 2 | N/A | RCE |
CVE-2020-0823 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A | RCE |
CVE-2020-0825 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A | RCE |
CVE-2020-0826 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A | RCE |
CVE-2020-0827 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A | RCE |
CVE-2020-0828 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A | RCE |
CVE-2020-0829 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A | RCE |
CVE-2020-0831 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A | RCE |
CVE-2020-0832 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 | RCE |
CVE-2020-0833 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2020-0848 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A | RCE |
CVE-2020-0824 | VBScript Remote Code Execution Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2020-0847 | VBScript Remote Code Execution Vulnerability | Critical | No | No | 1 | 1 | RCE |
CVE-2020-0758 | Azure DevOps Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0815 | Azure DevOps Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0700 | Azure DevOps Server Cross-site Scripting Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-0844 | Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0863 | Connected User Experiences and Telemetry Service Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0793 | Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0690 | DirectX Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2020-0820 | Media Foundation Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0762 | Microsoft Defender Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0763 | Microsoft Defender Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0903 | Microsoft Exchange Server Spoofing Vulnerability | Important | No | No | 2 | 2 | Spoof |
CVE-2020-0645 | Microsoft IIS Server Tampering Vulnerability | Important | No | No | 2 | 2 | Tampering |
CVE-2020-0893 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-0894 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-0795 | Microsoft SharePoint Reflective XSS Vulnerability | Important | No | No | N/A | 2 | XSS |
CVE-2020-0891 | Microsoft SharePoint Reflective XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-0884 | Microsoft Visual Studio Spoofing Vulnerability | Important | No | No | 2 | 2 | Spoof |
CVE-2020-0850 | Microsoft Word Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0851 | Microsoft Word Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0855 | Microsoft Word Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0892 | Microsoft Word Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0808 | Provisioning Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0872 | Remote Code Execution Vulnerability in Application Inspector | Important | No | No | 2 | 2 | RCE |
CVE-2020-0813 | Scripting Engine Information Disclosure Vulnerability | Important | No | No | 2 | N/A | Info |
CVE-2020-0902 | Service Fabric Elevation of Privilege | Important | No | No | 2 | 2 | EoP |
CVE-2020-0789 | Visual Studio Extension Installer Service Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2020-0788 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2020-0877 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2020-0887 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2020-0876 | Win32k Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0770 | Windows ActiveX Installer Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0773 | Windows ActiveX Installer Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0860 | Windows ActiveX Installer Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0834 | Windows ALPC Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0787 | Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0769 | Windows CSC Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0771 | Windows CSC Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0819 | Windows Device Setup Manager Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0810 | Windows Diagnostics Hub Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0776 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0858 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0772 | Windows Error Reporting Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0806 | Windows Error Reporting Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0775 | Windows Error Reporting Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0774 | Windows GDI Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0874 | Windows GDI Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0879 | Windows GDI Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0880 | Windows GDI Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0882 | Windows GDI Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0791 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0898 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | No | No | N/A | 1 | EoP |
CVE-2020-0885 | Windows Graphics Component Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0840 | Windows Hard Link Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0841 | Windows Hard Link Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0849 | Windows Hard Link Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0896 | Windows Hard Link Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0853 | Windows Imaging Component Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0779 | Windows Installer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0798 | Windows Installer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0814 | Windows Installer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0842 | Windows Installer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0843 | Windows Installer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0799 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0822 | Windows Language Pack Installer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0854 | Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0859 | Windows Modules Installer Service Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0778 | Windows Network Connections Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0802 | Windows Network Connections Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0803 | Windows Network Connections Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0804 | Windows Network Connections Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0845 | Windows Network Connections Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0871 | Windows Network Connections Service Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0861 | Windows Network Driver Interface Specification (NDIS) Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0780 | Windows Network List Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0857 | Windows Search Indexer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0786 | Windows Tile Object Service Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2020-0867 | Windows Update Orchestrator Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0868 | Windows Update Orchestrator Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0781 | Windows UPnP Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0783 | Windows UPnP Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0785 | Windows User Profile Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0777 | Windows Work Folder Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0797 | Windows Work Folder Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0800 | Windows Work Folder Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0864 | Windows Work Folder Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0865 | Windows Work Folder Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0866 | Windows Work Folder Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0897 | Windows Work Folder Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0765 | Remote Desktop Connection Manager Information Disclosure Vulnerability | Moderate | No | No | 2 | 2 | Info |
Of the remaining Critical-rated patches, all are somehow related to web browsers. The patches either directly affect the browser itself or have some form of a browse-and-own scenario. Of course, we’re used to seeing a large update for browsers (and other targets) prior to Pwn2Own, which happens in Vancouver next week. We’ll see if any of these patches impact contestants, who have the option to compete remotely this year.
Looking at the Important-rated patches, Elevation of Privilege (EoP) bugs represent more than half of the March release with a total of 60 EoPs being addressed. Of these bugs, the updates for Windows Defender Security Center stand out. Although updates for Windows Defender require no user interaction, these patches are for the Windows Defender Security Center and do need to be applied. It’s definitely something that could lead to some confusion. Several EoP bugs impact components of the Windows Installer subsystem. To exploit these, an attacker would need to have code execution privileges on a target system. In practice, an attacker would likely trick a user into running their application to get the privilege escalation.
There’s an update for an EoP in the Azure Service Fabric that’s a bit non-standard. An unauthenticated attacker could gain rights to the Service Fabric File Store Service if the node is exposed externally. You also need to ensure you’re on the latest cumulative update (Service Fabric 7.0 CU3) prior to updating to CU4. Many other Windows components receive fixes for EoP bugs, but none really stand out. If you need to prioritize, focus on the kernel bugs and those with a high exploit index rating.
The Exchange Server gets an update this month for a cross-site scripting (XSS) bug. It’s not as serious as the Exchange bug patched last month, which is now reportedly under active attack. The IIS Server receives a fix for a tampering bug. An attacker could use this bug to modify responses returned to clients.
There are 16 fixes for information disclosure bugs. The most notable is the Moderate-rated bug in the Remote Desktop Connection Manager. While the info disclosure itself is not terribly exciting, there’s not a fix for this vulnerability. Microsoft states they are fixing this vulnerability and have deprecated the application. The bug could allow an attacker to read arbitrary files via an XML external entity (XXE) declaration.
Rounding out this month’s release, there are a couple of denial-of-service (DoS) bugs fixed in Windows and Visual Studio. Office receives a few more patches where the Preview Pane is not an attack vector. Finally, there are patches for XSS bugs in SharePoint and the Azure DevOps Server.
There are no new advisories for this month. There is an update to the Windows Servicing Stack, which it now seems to be a standard monthly update.
Looking Ahead
The next Patch Tuesday falls on April 14, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!