Tuesday, February 11, 2020

Microsoft Patch Tuesday — Feb. 2020: Vulnerability disclosures and Snort coverage












By Jon Munshaw.

Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 98 vulnerabilities, 12 of which are considered critical and 84 that are considered important. There are also two bugs that were not assigned a severity.

This month's patches include updates to the Windows kernel, the Windows scripting engine and Remote Desktop Procol, among other software and features. Microsoft also provided a critical advisory covering updates to Adobe Flash Player.

Talos released a new set of SNORTⓇ rules today that provide coverage for some of these vulnerabilities, which you can see here.

Critical vulnerabilities

Microsoft disclosed 12 critical vulnerabilities this month, all of which we will highlight below.

CVE-2020-0673, CVE-2020-0674, CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713 and CVE-2020-0767 are all memory corruption vulnerabilities in the Microsoft scripting engine that deals with how Internet Explorer handles objects in memory. An attacker could use these vulnerabilities to corrupt memory on the victim machine in a way that would allow them to execute arbitrary code. A user could trigger this bug by visiting an attacker-controlled web page on Internet Explorer that's been specially crafted to exploit this vulnerability. Alternatively, an attacker could embed an ActiveX control marked "safe for initialization" in another application or Microsoft Office document that utilizes the Internet Explorer rendering engine and convince the victim to open that file.

CVE-2020-0681 and CVE-2020-0734 are remote code execution vulnerabilities in Remote Desktop Protocol when the user connects to a malicious server. An attacker can exploit these vulnerabilities by hosting a server, and convincing a user to connect to it, likely via social engineering or a man-in-the-middle technique.

CVE-2020-0662 is a remote code execution vulnerability in Windows 10 and some versions of Windows Server that exists in the way the software handles objects in memory. If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code with elevated permissions on the victim machine. The attacker would need a domain user account, and then create a specially crafted request.

CVE-2020-0729 is a remote code execution vulnerability in Windows that could allow an attacker to remotely execute code if Windows processes a specially crafted .LNK file. An adversary could exploit this vulnerability by sending the user a removable drive or remote share containing a malicious .LNK file and an associated malicious binary. If the user opens the file in Windows Explorer or another application that parses .LNK files, the binary will execute code of the attacker's choice.

CVE-2020-0738 is a memory corruption vulnerability in Windows Media Foundation that exists in the way the software handles objects in memory. An attacker could exploit this bug by convincing the user to open a specially crafted, malicious file or web page, which would corrupt memory in a way the attacker could then install programs, manipulate user data or create new user accounts on the victim machine.

                Important vulnerabilities

                This release also contains 84 important vulnerabilities:

                Coverage 

                In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

                These rules are:  48701, 48702, 53050 - 53056, 53061, 53072, 53073, 53079 - 53089

                No comments:

                Post a Comment