Commenting on this Satnam Narang, Senior Research Engineer at Tenable said "This month's Patch Tuesday release contains updates for a staggering 99 CVEs, 12 of which are rated as critical. This is one of the largest Patch Tuesday releases we've seen in recent times. Microsoft released a patch for CVE-2020-0674, a memory corruption vulnerability in Internet Explorer that Microsoft issued an advisory for in January, cautioning that the flaw had been exploited in the wild. At the time, Microsoft only provided mitigation instructions and did not release an out-of-band patch. Details about the in-the-wild exploitation of the flaw are still not known, but it is important for organizations to apply these patches as soon as possible.
Additionally, multiple vulnerabilities in Remote Desktop were patched, including two remote code execution vulnerabilities that are likely to be exploited, according to Microsoft. These flaws, identified as CVE-2020-0681 and CVE-2020-0734, exist in Remote Desktop Client. Exploitation of these requires an attacker to either persuade their victim into connecting to a vulnerable Remote Desktop Server operated by the attacker or plant malicious code on a compromised Remote Desktop Server and wait for the vulnerable user to connect to it.
Microsoft also patched CVE-2020-0688, a memory corruption vulnerability in Microsoft Exchange. To exploit this vulnerability, an attacker would need to send a specially crafted email to a vulnerable Exchange server. Exploitation of the flaw would lead to arbitrary code execution in the context of the System user, granting an attacker the ability to create a new account, install programs, and view, change or delete data."
No comments:
Post a Comment