The February 2020 Security Update Review
February is here, and with it comes some significant security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.
Adobe Patches for February 2020
The Adobe release for February includes five bulletins addressing a total of 42 CVEs in Framemaker, Experience Manager, Adobe Digital Editions, Flash, and Acrobat and Reader. The update for Framemaker fixes 21 Critical-rated bugs, all of which were submitted through the ZDI program. The vast majority of these are Out-of-Bounds (OOB) write bugs that could lead to code execution. The update for Adobe Acrobat and Reader fixes 17 CVEs – seven of which are Use-After-Free (UAF) bugs. The worst of these bugs could allow an attacker to execute code on an affected system if they opened a specially crafted file. The Flash update fixes a single type confusion bug that could allow code execution at the level of the logged-on user. The patch for Adobe Digital Editions fixes two CVEs, one of which is a command injection bug that could allow code execution. The final patch from Adobe for February corrects a single Denial-of-Service (DoS) bug in the Experience Manager. None of these bugs are listed as publicly known or under active attack at the time of release.
We should also mention that Adobe released a patch for their Magento Commerce platform in late January to correct six CVEs. Adobe acquired Magento last May for $1.68 billion USD, and this appears to be the first patch released for the platform since the acquisition. None of these Critical- and Important-rated bugs are listed as publicly known or under active attack. What isn’t clear is if patches for Magento will eventually be included in the regular Patch Tuesday release or if they will be released outside of the standard schedule.
Microsoft Patches for February 2020
For February, Microsoft released patches for a whopping 99 CVEs covering Microsoft Windows, Edge (EdgeHTML-based), ChakraCore, Internet Explorer (IE), SQL Server, Exchange Server, Office and Office Services and Web Apps, Azure DevOps Server, Team Foundation Server, and the Microsoft Malware Protection Engine. Of the 99 CVEs, 12 are listed as Critical while the remaining 87 are listed as Important in severity. Three of these vulnerabilities were reported through the ZDI program. According to Microsoft, five of these bugs are publicly known and one is currently under active attack.
Let’s take a closer look at some of the more interesting updates for this month, starting with the bug reported to be under active attack since mid-January:
-      CVE-2020-0674 – Scripting Engine Memory Corruption Vulnerability
This browser bug impacts IE and the other programs that rely on the Trident rendering engine. Microsoft first warned users of this bug back on January 17. Attackers can execute code on affected systems if a user browses to a specially crafted website. Even if you don’t use IE, you could still be affected by this bug though embedded objects in Office documents. Considering the listed workaround – disabling jscript.dll – breaks a fair amount of functionality, you should prioritize the testing and deployment of this patch.
-      CVE-2020-0688 – Microsoft Exchange Memory Corruption Vulnerability
This code execution bug in Exchange is only listed as Important, but you should treat it as a Critical-rated vulnerability. An attacker could gain code execution on affected Exchange servers by sending a specially crafted e-mail. No other user interaction is required. The code execution occurs at System-level permissions, so the attacker could completely take control of an Exchange server through a single e-mail. This bug was reported through our program, and we’ll publish details about it in the near future.
-      CVE-2020-0729 – LNK Remote Code Execution Vulnerability
Bugs impacting link files (.LNK) never fail to amaze me. If .LNK vulnerabilities ring a bell, that’s likely due to one being used in the Stuxnet malware that remained one of the most widely exploited software flaws for years to come. This bug is similar. An attacker could use this vulnerability to get code execution by having an affected system process a specially crafted .LNK file. This could be done by convincing a user to open a remote share, or – as has been seen in the past – placing the .LNK file on a USB drive and having the user open it. It’s a handy way to exploit an air-gapped system.
-      CVE-2020-0689 – Microsoft Secure Boot Security Feature Bypass Vulnerability
This security feature bypass bug could allow attackers to circumvent the Secure Boot feature and load untrusted software on an affected system. This is one of the publicly known bugs being patched this month. While this is certainly a bug to scrutinize, it’s compounded by a non-standard patching process. This month’s servicing stack must first be applied, then additional standalone security updates need to be installed. If you have the Windows Defender Credential Guard (Virtual Secure Mode) enabled, you’ll need to go through two additional reboots as well. All this is needed to block impacted third-party bootloaders.
Here’s the full list of CVEs released by Microsoft for February 2020.
| CVE | Title | Severity | Public | Exploited | XI - Latest | XI - Older | Type |
| CVE-2020-0674 | Scripting Engine Memory Corruption Vulnerability | Critical | Yes | Yes | 0 | 0 | RCE |
| CVE-2020-0683 | Windows Installer Elevation of Privilege Vulnerability | Important | Yes | No | 2 | 2 | EoP |
| CVE-2020-0686 | Windows Installer Elevation of Privilege Vulnerability | Important | Yes | No | 2 | 2 | EoP |
| CVE-2020-0706 | Microsoft Browser Information Disclosure Vulnerability | Important | Yes | No | 2 | 2 | Info |
| CVE-2020-0689 | Microsoft Secure Boot Security Feature Bypass Vulnerability | Important | Yes | No | 2 | 2 | SFB |
| CVE-2020-0729 | LNK Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-0738 | Media Foundation Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-0681 | Remote Desktop Client Remote Code Execution Vulnerability | Critical | No | No | 1 | 1 | RCE |
| CVE-2020-0734 | Remote Desktop Client Remote Code Execution Vulnerability | Critical | No | No | 1 | 1 | RCE |
| CVE-2020-0673 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 | RCE |
| CVE-2020-0767 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-0710 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A | RCE |
| CVE-2020-0712 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A | RCE |
| CVE-2020-0713 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A | RCE |
| CVE-2020-0711 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | N/A | 2 | RCE |
| CVE-2020-0662 | Windows Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-0757 | Windows SSH Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0661 | Windows Hyper-V Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
| CVE-2020-0751 | Windows Hyper-V Denial of Service Vulnerability | Important | No | No | 2 | N/A | DoS |
| CVE-2020-0660 | Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
| CVE-2020-0665 | Active Directory Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0740 | Connected Devices Platform Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0741 | Connected Devices Platform Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0742 | Connected Devices Platform Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0743 | Connected Devices Platform Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0749 | Connected Devices Platform Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0750 | Connected Devices Platform Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0727 | Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0709 | DirectX Elevation of Privilege Vulnerability | Important | No | No | N/A | 2 | EoP |
| CVE-2020-0732 | DirectX Elevation of Privilege Vulnerability | Important | No | No | N/A | 2 | EoP |
| CVE-2020-0663 | Microsoft Edge Elevation of Privilege Vulnerability | Important | No | No | 2 | N/A | EoP |
| CVE-2020-0692 | Microsoft Exchange Server Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
| CVE-2020-0720 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
| CVE-2020-0721 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
| CVE-2020-0722 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
| CVE-2020-0723 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
| CVE-2020-0725 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
| CVE-2020-0726 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
| CVE-2020-0731 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
| CVE-2020-0719 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0724 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0691 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 3 | 3 | EoP |
| CVE-2020-0703 | Windows Backup Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0701 | Windows Client License Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0685 | Windows COM Server Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0657 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
| CVE-2020-0747 | Windows Data Sharing Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0659 | Windows Data Sharing Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0737 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0739 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0753 | Windows Error Reporting Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0754 | Windows Error Reporting Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0678 | Windows Error Reporting Manager Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0679 | Windows Function Discovery Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0680 | Windows Function Discovery Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0682 | Windows Function Discovery Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0792 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0745 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
| CVE-2020-0715 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
| CVE-2020-0707 | Windows IME Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0668 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0669 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0670 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0671 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0672 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0733 | Windows Malicious Software Removal Tool Elevation of Privilege Vulnerability | Important | No | No | 2 | N/A | EoP |
| CVE-2020-0666 | Windows Search Indexer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0667 | Windows Search Indexer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0735 | Windows Search Indexer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0752 | Windows Search Indexer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0730 | Windows User Profile Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0704 | Windows Wireless Network Manager Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0714 | DirectX Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-0746 | Microsoft Graphics Components Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-0717 | Win32k Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-0716 | Win32k Information Disclosure Vulnerability | Important | No | No | N/A | 2 | Info |
| CVE-2020-0658 | Windows Common Log File System Driver Information Disclosure Vulnerability | Important | No | No | 1 | 1 | Info |
| CVE-2020-0744 | Windows GDI Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-0698 | Windows Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-0736 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | N/A | 2 | Info |
| CVE-2020-0675 | Windows Key Isolation Service Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-0676 | Windows Key Isolation Service Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-0677 | Windows Key Isolation Service Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-0748 | Windows Key Isolation Service Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-0755 | Windows Key Isolation Service Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-0756 | Windows Key Isolation Service Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-0728 | Windows Modules Installer Service Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-0705 | Windows Network Driver Interface Specification (NDIS) Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-0759 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-0688 | Microsoft Exchange Memory Corruption Vulnerability | Important | No | No | 1 | 1 | RCE |
| CVE-2020-0618 | Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-0655 | Remote Desktop Services Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-0708 | Windows Imaging Library Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-0696 | Microsoft Outlook Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 | SFB |
| CVE-2020-0702 | Surface Hub Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 | SFB |
| CVE-2020-0695 | Microsoft Office Online Server Spoofing Vulnerability | Important | No | No | 2 | N/A | Spoof |
| CVE-2020-0697 | Microsoft Office Tampering
Vulnerabil...Externe Quelle mit kompletten Artikel anzeigenhttps://www.thezdi.com/blog/2020/2/11/the-february-2020-security-update-reviewZur Startseite ➤ Weitere Beiträge von Team Security | IT SicherheitCentOS Blog: CentOS Pulse Newsletter, March 2019 (#1903)vom 772.38 Punkte
Dear CentOS enthusiast, Another month into 2019, and we have a lot to tell you about. Releases and updates SIG updates Events Contributing to the newsletter CentOS is 15! As you may have seen either at recent events, or on social media, we're gett CentOS Blog: CentOS Community newsletter, March 2020 (#2003)vom 570.07 Punkte
Dear CentOS enthusiast, For the past several months, the focus has been on FOSDEM, as usual this time of year. Now that FOSDEM is behind us, it's time to turn our attention to the upcoming Dojo at Facebook, and Red Hat Summit. We'd love to see you at one of thes CentOS Blog: Releases/updates on Feb 1vom 467 Punkte
On February 1st (last week) there were a large number of enhancements/updates released by the CentOS community: Â Errata and Enhancements Advisories We issued the following CEEA (CentOS Errata and Enhancements Advisories): CEEA-2019:0178 CentOS 7 libreswan Enhancement - http The February 2020 Security Update Reviewvom 352.25 Punkte
February is here, and with it comes some significant security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for February 2020The Adobe The November 2020 Security Update Reviewvom 333.2 Punkte
November is here and with it comes the latest security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.Adobe Patches for November 2020Adobe kick The March 2020 Security Update Reviewvom 319.64 Punkte
March is upon us, and it brings a bumper crop of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.Adobe Patches for March 2020Oddly, Adobe The July 2020 Security Update Reviewvom 314 Punkte
July is upon us, and it brings another huge batch of security patches from Microsoft, and a few from Adobe as well. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.Adobe Patches for The June 2020 Security Update Reviewvom 312.72 Punkte
June is here, and it brings with it a record number of security patches from Microsoft, and a few from Adobe as well. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.Adobe The April 2020 Security Update Reviewvom 312.15 Punkte
April is here, and it brings another cornucopia of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.Adobe Patches for April 2020For April, Ad The September 2020 Security Update Reviewvom 310.75 Punkte
September is upon us and so are the latest security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.Adobe Patches for September 2020Adobe rel The August 2020 Security Update Reviewvom 309.21 Punkte
August is here and so is the latest batch of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.Adobe Patches for August 2020The Adobe re The May 2020 Security Update Reviewvom 308 Punkte
May is upon us, and with it brings another bumper crop of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.Adobe Patches for May 2020The Adobe updat Team Security Diskussion über The February 2020 Security Update Review |