By Jon Munshaw and Vitor Ventura.
Update (March 12, 2020): Microsoft released an out-of-band patch for CVE-2020-0796, a code execution vulnerability SMB client and server for Windows. An unauthenticated attacker could exploit this vulnerability to execute remote code. Snort rules 53425 - 53428 protect against exploitation of CVE-2020-0796.
Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 117 vulnerabilities, 25 of which are considered critical. There is also one moderate vulnerability and 91 that are considered important.
This month's patches include updates to Microsoft Media Foundation, the GDI+ API and Windows Defender, among others.
Talos released a new set of SNORTⓇ rules today that provide coverage for some of these vulnerabilities, which you can see here.
Critical vulnerabilities Microsoft disclosed 25 critical vulnerabilities this month, 20 of which we will highlight below.
CVE-2020-0684 is a remote code execution vulnerability in Microsoft Windows that arises if the user opens a specially crafted, malicious .LNK file. This file could be presented to the victim on a removable drive or remote share, and then when opened, would execute a malicious binary embedded in the file.
CVE-2020-0801, CVE-2020-0807, CVE-2020-0809 and CVE-2020-0869 are memory corruption vulnerabilities in Microsoft Media Foundation. All of these could allow an attacker to gain the ability to install programs, view, change or delete data or create new user accounts on the victim machine. A user could trigger this vulnerability by opening a specially crafted, malicious file or web page. Attackers are most likely to try and exploit this vulnerability via spam emails with malicious links and attachments.
CVE-2020-0823, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829, CVE-2020-0831, CVE-2020-0832, CVE-2020-0833 and CVE-2020-0848 are all memory corruption vulnerabilities in the way the ChakraCore scripting engine handles objects in memory. If successful, an attacker could corrupt the victim machine's memory in a way that would allow them to execute arbitrary code in the context of the current user.
CVE-2020-0824 and CVE-2020-0847 are remote code execution vulnerabilities in the VBScript engine. An attacker could exploit these bugs by tricking the user into visiting a specially crafted website in the Internet Explorer web browser or by marking an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the Internet Explorer rendering engine. These bugs specifically require user interaction and would rely on some form of social engineering on the attacker's part.
CVE-2020-0881 and CVE-2020-0883 are remote code execution vulnerabilities in GDI+, an API for C and C++ programmers. An attacker could exploit these bugs by hosting a specially crafted website and then convincing the user to open it. Additionally, a victim could open a malicious document designed to exploit this vulnerability that's provided to them via email or any other file-sharing method.
These are the other critical vulnerabilities:
Important vulnerabilities This release also contains 91 important vulnerabilities, five of which we will highlight.
CVE-2020-0850, CVE-2020-0851, CVE-2020-0852 and CVE-2020-0855 are all remote code execution vulnerabilities that exist in the way Microsoft Word handles objects in memory. If successful, the attacker could use these bugs to carry out malicious actions in the context of the current user via the Word document. Attackers are likely to use spam emails to try and distribute these malicious documents.
CVE-2020-0761 is an elevation of privilege vulnerability in Microsoft Office. An attacker could exploit this bug to execute the OLicenseHeartbeat task at the SYSTEM level after replacing a normally legitimate file with a specially crafted one, corrupting memory. This vulnerability could be used with other remote code execution vulnerabilities disclosed this month to carry out a more serious attack with higher than usual privileges.
The other important vulnerabilities are:
There is also one moderate vulnerability, CVE-2020-0765.
Coverage In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.
These rules are: 52213, 52214, 53402 - 53409, 53414 - 53419, 53420 - 53424