Microsoft’s March 2020 Patch Tuesday – Tenable commentary

In this month’s Patch Tuesday Roundup, Microsoft released updates to address 115 vulnerabilities, 26 of which are critical. The update contains patches for 31 remote code execution flaws as well as 58 elevation of privilege vulnerabilities which accounts for nearly half of all reported CVEs this month. This month’s patches include Microsoft Windows, Microsoft Office, Microsoft Exchange Server, Azure DevOps, Windows Defender, Visual Studio, Microsoft Office Services and Web Apps, Azure, Microsoft Dynamics, including a crop of RCEs in the ChakraCore scripting engine for Internet Explorer and Microsoft Edge. The blog examines several of the vulnerabilities and also includes guidance for customers on how to create scans that specifically focus on Patch Tuesday.

Commenting on this Satnam NarangPrincipal Research Engineer at Tenable said –

This month’s Patch Tuesday is a considerable release, containing fixes for 115 vulnerabilities with 26 of them rated as critical and 88 rated as important. In contrast, Microsoft released fixes for 99 vulnerabilities, with only 16 rated as critical. Of the 58 elevation of privilege vulnerabilities patched this month, the most severe are CVE-2020-0788, CVE-2020-0877, CVE-2020-0887.

These are elevation of privilege flaws in Win32k due to improper handling of objects in memory. Elevation of Privilege vulnerabilities are leveraged by attackers post-compromise, once they’ve managed to gain access to a system in order to execute code on their target systems with elevated privileges. Microsoft rates these vulnerabilities as “exploitation more likely,” according to their exploitability index. Microsoft also patched several memory corruption vulnerabilities. The most notable ones include one in Internet Explorer (CVE-2020-0824), and two in its scripting engine (CVE-2020-0832, CVE-2020-0833) due to the way objects are handled in memory.

These vulnerabilities would provide an attacker the ability to execute code with the privileges of the current user. In order to exploit the flaws, an attacker would either need to use social engineering tactics to convince their victim to visit a malicious website hosting the exploit code, or compromise an existing website directly or through the compromise of an advertiser. Once again, Microsoft rates these vulnerabilities as “exploitation more likely” according to their exploitability index.”