This month’s Patch Tuesday is here and with it come fixes for no fewer than 99 security vulnerabilities in Windows and other Microsoft software.
Twelve flaws have received the highest severity ranking of “critical”, while 5 security holes are listed as publicly known at the time of release.
In fact, one vulnerability ticks both boxes – an actively exploited zero-day in Internet Explorer (IE). Microsoft disclosed this flaw, indexed as CVE-2020-0674, three weeks ago but didn’t roll out a patch until now. Successful exploitation of this remote code execution (RCE) vulnerability enables remote attackers to run code of their choice on the vulnerable system.
Per this summary by the SANS Technology Institute, another 16 RCE holes are being plugged as part of this month’s bundle of security patches. This includes two severe vulnerabilities in the Windows Remote Desktop Client, CVE-2020-0681 and CVE-2020-0734, where exploitation is seen as likely by Microsoft.
Updates have been released for various flavors of Windows, as well as for Office, Edge, Exchange Server, SQL Server and a few more products. The number of fixes this month is unusually high; for example, last month's Patch Tuesday rollout fixed 49 vulnerabilities.
The highest vulnerability score, 8.8 out of 10 on the CVSS scale, has been assigned to a memory corruption vulnerability in Windows Media Foundation. An attacker who abused this vulnerability, tracked as CVE-2020-0738, could run arbitrary code on the impacted system. A host of elevation-of-privilege and denial-of-service vulnerabilities are also being patched.
All updates are available via this Microsoft Update Catalog for all supported versions of Windows. It's the first time that Windows 7 users are out of luck (unless they pay for Extended Security Updates, that is) as the operating system reached end of life last month.
