➠ The March 2020 Security Update Review

March is upon us, and it brings a bumper crop of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for March 2020

Oddly, Adobe has released no patches for March. In February, Adobe had multiple releases, so it’s very likely security patches will be released at some point in March. We will update this blog with information should this happen.

Microsoft Patches for March 2020

For March, Microsoft released patches for a massive 115 CVEs covering Microsoft Windows, Edge (EdgeHTML-based and Chromium-based), ChakraCore, Internet Explorer (IE), Exchange Server, Office and Office Services and Web Apps, Azure DevOps, Windows Defender, Visual Studio, and Open Source Software. Of these 115, 26 are listed as Critical, 88 are listed as Important, and one is listed as Moderate in severity. Seven of these vulnerabilities were reported through the ZDI program. None of the bugs being patched are listed as being publicly known or under active attack at the time of release. The first quarter of 2020 has certainly been a busy one for Microsoft patches. Including today’s patches, there have been 265 patches in the first quarter. It will be interesting to see if this pace continues throughout the year.

Let’s take a closer look at some of the more interesting updates for this month, starting with a bug sure to be a hit with malware authors:

 -       CVE-2020-0852 – Microsoft Word Remote Code Execution Vulnerability
Most code execution bugs in Office products require a user to open a specially crafted file and are thus Important in severity. This Critical-rated Word bug requires no such user interaction. Instead, simply viewing a specially crafted file in the Preview Pane could allow code execution at the level of the logged-on user. Emailing malicious documents is a common tactic for malware and ransomware authors. Having a bug that doesn’t require tricking someone into opening a file will be enticing to them.

-       CVE-2020-0905 – Dynamics Business Central Remote Code Execution Vulnerability
This bug in the business management solution could allow attackers to execute arbitrary shell commands on a target system. Exploitation of this Critical-rated bug won’t be straightforward, as an authenticated attacker would need to convince the target into connecting to a malicious Dynamics Business Central client or elevate permission to System to perform the code execution. Still, considering the target is likely a mission-critical server, you should test and deploy this patch quickly.

-       CVE-2020-0684 – LNK Remote Code Execution Vulnerability
If this looks familiar, it could be because Microsoft released a nearly identical patch for LNK last month (CVE-2020-0729). Back-to-back patches is an indicator of a failed patch, but the lower CVE number for this month’s bug makes me think this is not the case here. Regardless, an attacker could use this vulnerability to get code execution by having an affected system process a specially crafted .LNK file, so leave those sketchy USB drives you found in the parking lot alone.

-       CVE-2020-0872 – Remote Code Execution Vulnerability in Application Inspector
This bug could allow an attacker to execute their code on a target system if they can convince a user to run Application Inspector on code that includes a specially crafted third-party component. Although Microsoft doesn’t list this as being publicly known at the time of release, it appears this was actually fixed in version 1.0.24, which released back in January. It’s not clear why it’s being included in this month’s patch release, but if you use Application Inspector, definitely go grab the new version.

Here’s the full list of CVEs released by Microsoft for March 2020.