1. IT-Security >
  2. Hacking >
  3. The March 2020 Security Update Review

ArabicEnglishFrenchGermanGreekItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkishVietnamese

The March 2020 Security Update Review


Hacking vom | Direktlink: thezdi.com Nachrichten Bewertung

March is upon us, and it brings a bumper crop of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for March 2020

Oddly, Adobe has released no patches for March. In February, Adobe had multiple releases, so it’s very likely security patches will be released at some point in March. We will update this blog with information should this happen.

Microsoft Patches for March 2020

For March, Microsoft released patches for a massive 115 CVEs covering Microsoft Windows, Edge (EdgeHTML-based and Chromium-based), ChakraCore, Internet Explorer (IE), Exchange Server, Office and Office Services and Web Apps, Azure DevOps, Windows Defender, Visual Studio, and Open Source Software. Of these 115, 26 are listed as Critical, 88 are listed as Important, and one is listed as Moderate in severity. Seven of these vulnerabilities were reported through the ZDI program. None of the bugs being patched are listed as being publicly known or under active attack at the time of release. The first quarter of 2020 has certainly been a busy one for Microsoft patches. Including today’s patches, there have been 265 patches in the first quarter. It will be interesting to see if this pace continues throughout the year.

Let’s take a closer look at some of the more interesting updates for this month, starting with a bug sure to be a hit with malware authors:

 -       CVE-2020-0852 – Microsoft Word Remote Code Execution Vulnerability
Most code execution bugs in Office products require a user to open a specially crafted file and are thus Important in severity. This Critical-rated Word bug requires no such user interaction. Instead, simply viewing a specially crafted file in the Preview Pane could allow code execution at the level of the logged-on user. Emailing malicious documents is a common tactic for malware and ransomware authors. Having a bug that doesn’t require tricking someone into opening a file will be enticing to them.

-       CVE-2020-0905 – Dynamics Business Central Remote Code Execution Vulnerability
This bug in the business management solution could allow attackers to execute arbitrary shell commands on a target system. Exploitation of this Critical-rated bug won’t be straightforward, as an authenticated attacker would need to convince the target into connecting to a malicious Dynamics Business Central client or elevate permission to System to perform the code execution. Still, considering the target is likely a mission-critical server, you should test and deploy this patch quickly.

-       CVE-2020-0684 – LNK Remote Code Execution Vulnerability
If this looks familiar, it could be because Microsoft released a nearly identical patch for LNK last month (CVE-2020-0729). Back-to-back patches is an indicator of a failed patch, but the lower CVE number for this month’s bug makes me think this is not the case here. Regardless, an attacker could use this vulnerability to get code execution by having an affected system process a specially crafted .LNK file, so leave those sketchy USB drives you found in the parking lot alone.

-       CVE-2020-0872 – Remote Code Execution Vulnerability in Application Inspector
This bug could allow an attacker to execute their code on a target system if they can convince a user to run Application Inspector on code that includes a specially crafted third-party component. Although Microsoft doesn’t list this as being publicly known at the time of release, it appears this was actually fixed in version 1.0.24, which released back in January. It’s not clear why it’s being included in this month’s patch release, but if you use Application Inspector, definitely go grab the new version.

Here’s the full list of CVEs released by Microsoft for March 2020.

CVE Title Severity Public Exploited XI - Latest XI - Older Impact
CVE-2020-0852 Microsoft Word Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-0905 Dynamics Business Central Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-0684 LNK Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-0811 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2020-0812 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2020-0881 GDI+ Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-0883 GDI+ Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-0801 Media Foundation Memory Corruption Vulnerability Critical No No 2 2 RCE
CVE-2020-0807 Media Foundation Memory Corruption Vulnerability Critical No No 2 2 RCE
CVE-2020-0809 Media Foundation Memory Corruption Vulnerability Critical No No 2 2 RCE
CVE-2020-0869 Media Foundation Memory Corruption Vulnerability Critical No No 2 2 RCE
CVE-2020-0768 Microsoft Browser Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2020-0830 Microsoft Browser Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2020-0816 Microsoft Edge Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2020-0823 Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2020-0825 Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2020-0826 Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2020-0827 Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2020-0828 Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2020-0829 Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2020-0831 Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2020-0832 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2020-0833 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2020-0848 Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2020-0824 VBScript Remote Code Execution Vulnerability Critical No No 1 N/A RCE
CVE-2020-0847 VBScript Remote Code Execution Vulnerability Critical No No 1 1 RCE
CVE-2020-0758 Azure DevOps Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0815 Azure DevOps Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0700 Azure DevOps Server Cross-site Scripting Vulnerability Important No No 2 2 XSS
CVE-2020-0844 Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0863 Connected User Experiences and Telemetry Service Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0793 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0690 DirectX Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2020-0820 Media Foundation Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0762 Microsoft Defender Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0763 Microsoft Defender Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0903 Microsoft Exchange Server Spoofing Vulnerability Important No No 2 2 Spoof
CVE-2020-0645 Microsoft IIS Server Tampering Vulnerability Important No No 2 2 Tampering
CVE-2020-0893 Microsoft Office SharePoint XSS Vulnerability Important No No 2 2 XSS
CVE-2020-0894 Microsoft Office SharePoint XSS Vulnerability Important No No 2 2 XSS
CVE-2020-0795 Microsoft SharePoint Reflective XSS Vulnerability Important No No N/A 2 XSS
CVE-2020-0891 Microsoft SharePoint Reflective XSS Vulnerability Important No No 2 2 XSS
CVE-2020-0884 Microsoft Visual Studio Spoofing Vulnerability Important No No 2 2 Spoof
CVE-2020-0850 Microsoft Word Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-0851 Microsoft Word Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-0855 Microsoft Word Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-0892 Microsoft Word Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-0808 Provisioning Runtime Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0872 Remote Code Execution Vulnerability in Application Inspector Important No No 2 2 RCE
CVE-2020-0813 Scripting Engine Information Disclosure Vulnerability Important No No 2 N/A Info
CVE-2020-0902 Service Fabric Elevation of Privilege Important No No 2 2 EoP
CVE-2020-0789 Visual Studio Extension Installer Service Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2020-0788 Win32k Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2020-0877 Win32k Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2020-0887 Win32k Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2020-0876 Win32k Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0770 Windows ActiveX Installer Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0773 Windows ActiveX Installer Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0860 Windows ActiveX Installer Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0834 Windows ALPC Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0787 Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0769 Windows CSC Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0771 Windows CSC Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0819 Windows Device Setup Manager Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0810 Windows Diagnostics Hub Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0776 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0858 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0772 Windows Error Reporting Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0806 Windows Error Reporting Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0775 Windows Error Reporting Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0774 Windows GDI Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0874 Windows GDI Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0879 Windows GDI Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0880 Windows GDI Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0882 Windows GDI Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0791 Windows Graphics Component Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0898 Windows Graphics Component Elevation of Privilege Vulnerability Important No No N/A 1 EoP
CVE-2020-0885 Windows Graphics Component Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0840 Windows Hard Link Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0841 Windows Hard Link Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0849 Windows Hard Link Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0896 Windows Hard Link Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0853 Windows Imaging Component Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0779 Windows Installer Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0798 Windows Installer Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0814 Windows Installer Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0842 Windows Installer Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0843 Windows Installer Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0799 Windows Kernel Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0822 Windows Language Pack Installer Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0854 Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0859 Windows Modules Installer Service Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0778 Windows Network Connections Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0802 Windows Network Connections Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0803 Windows Network Connections Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0804 Windows Network Connections Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0845 Windows Network Connections Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0871 Windows Network Connections Service Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0861 Windows Network Driver Interface Specification (NDIS) Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0780 Windows Network List Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0857 Windows Search Indexer Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0786 Windows Tile Object Service Denial of Service Vulnerability Important No No 2 2 DoS
Externe Webseite mit kompletten Inhalt öffnen

https://www.thezdi.com/blog/2020/3/10/the-march-2020-security-update-review

Team Security Social Media

➤ Weitere Beiträge von Team Security | IT Sicherheit

  • CentOS Blog: CentOS Community newsletter, April 2020 (#2004)

    vom 786.78 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, I hope you are all well. I know that this is a very difficult time for all of you, and that you likely have other things on your mind than CentOS, so I'll try to make it interesting this month. In this edition: News Releases and updates Event
  • The March 2020 Security Update Review

    vom 501.67 Punkte ic_school_black_18dp
    March is upon us, and it brings a bumper crop of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.Adobe Patches for March 2020Oddly, Adobe
  • The April 2020 Security Update Review

    vom 459.25 Punkte ic_school_black_18dp
    April is here, and it brings another cornucopia of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.Adobe Patches for April 2020For April, Ad
  • The May 2020 Security Update Review

    vom 451.14 Punkte ic_school_black_18dp
    May is upon us, and with it brings another bumper crop of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.Adobe Patches for May 2020The Adobe updat
  • The February 2020 Security Update Review

    vom 445.29 Punkte ic_school_black_18dp
    February is here, and with it comes some significant security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for February 2020The Adobe
  • CentOS Blog: CentOS Pulse Newsletter, April 2019 (#1904)

    vom 433.44 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, Another month into 2019, and we have a lot to tell you about. Releases and updates SIG updates Events Contributing to the newsletter #CentOS15 CentOS turns 15 this month! We've been talking with some of the people who have be
  • CentOS Blog: Errata/Releases, March 19th 2019

    vom 342.95 Punkte ic_school_black_18dp
    A substantial number of released/updates were announced on Tuesday, March 19th, and are listed below. For timely announcements of these updates, subscribe to the centos-announce mailing list, at https://lists.centos.org/mailman/listinfo/centos-announce . Errata and Enhancements Advisories We issued the following CEEA (CentOS Errata and Enhanc
  • Movierulz 2020 | Download Watch Telugu Bollywood and Hollywood Full Movies Online Free

    vom 335.58 Punkte ic_school_black_18dp
    Movierulz - Download watch latest Bollywood Hollywood Hindi English Telugu Tamil Malayalam Dubbed Kannada Marathi Punjabi movies online free movierulz torrent8Movierulz.ws- Download Watch Telugu Bollywood and Hollywood Full Movies Online FreeThe torre
  • CentOS Blog: CentOS Community newsletter, March 2020 (#2003)

    vom 266.5 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, For the past several months, the focus has been on FOSDEM, as usual this time of year. Now that FOSDEM is behind us, it's time to turn our attention to the upcoming Dojo at Facebook, and Red Hat Summit. We'd love to see you at one of thes
  • The January 2020 Security Update Review

    vom 253.35 Punkte ic_school_black_18dp
    Welcome to the new year, and welcome to the first Patch Tuesday of 2020. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for January 2020Adobe begins the ye
  • CentOS Blog: CentOS Community newsletter, June 2020 (#2006)

    vom 231.79 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, We hope you are all doing well and staying healthy, and, as always, thank you for being part of this great community. In this edition: News Releases and updates Events SIG reports News User Survey Over the past month we have been conducting
  • CentOS Blog: CentOS Community newsletter, February 2020 (#2002)

    vom 201.84 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, After a slowdown over the past few months, the year is off to a busy start. I'm getting the newsletter out a little later than usual, due to having spent last week in Brussels, at FOSDEM. More about this below. Special thanks go to Ama

Team Security Diskussion über The March 2020 Security Update Review