Microsoft Patches 26 Critical Bugs in Big March Update
upstart writes in with an IRC submission for Bytram:
Microsoft Patches 26 Critical Bugs in Big March Update:
Microsoft tackled 115 bug fixes as part of its March Patch Tuesday update - 26 rated critical and 88 rated medium severity. The bugs patched span its product catalog, from Azure DevOps to Windows 10.
This month's haul is notable in its quantity and that there are only a few stand-out bugs causing headaches for system administrators. Unlike last month, Microsoft did not report that any of its bugs were publicly known or under attack at the time it released its bulletin.
Within the mix of critical issues, Microsoft tacked three remote code execution vulnerabilities. Two are tied to Internet Explorer (CVE-2020-0833, CVE-2020-0824) and the third (CVE-2020-0847) to the VBscript scripting language used by Microsoft.
As for the two bugs in IE, researchers warned that either one could lead to code execution only if the victim was logged in with administrative rights.
"The vulnerabilities could corrupt memory allowing an attacker to execute arbitrary code in the context of the current user," wrote Richard Melick, Sr., technical product manager at Automox, in prepared analysis. "What this means is that an attacker could run malicious code directly on the user's system. If the user is logged in with administrative rights, those rights would extend to the code."
As for the VBscript bug, the researcher said, if an attacker was successful in commandeering the tool via code execution, it would allow an adversary to have sysadmin-like powers. That would allow them to run scripts and leverage software tools to control connected endpoints. "[It] will give the user complete control over many aspects of the device," Melick said.
As for the other critical bugs, 17 fixes are tied to Microsoft's browser and scripting engines, four are for Media Foundation, two are for GDI+ and the remaining three address potentially dangerous LNK files and Microsoft Word and Dynamics Business, points out Animesh Jain with Qualys' Patch Tuesday team.
Jain also singled out another remote code-execution vulnerability (CVE-2020-0852), this time in Microsoft Word. "An attacker could exploit the vulnerability using a specially crafted file to perform actions on behalf of the logged-in user with the same permissions as the current user," he noted.
Read more of this story at SoylentNews.