Welcome to March’s Patch Tuesday Breakdown.
This month brings 115 security fixes from Microsoft, 26 of which are rated “Critical.” This is by no means a “light” update. While there are no zero-day vulnerabilities to reckon with, there are definitely quite a few security bugs that need to be addressed. This is the heaviest patch load Microsoft has put out so far in 2020, and February was no lightweight, either.
An update from Mozilla Firefox corrects multiple critical and important vulnerabilities found in the web browser -- including a security bug that allows malicious actors to target iPhone users and collect their data if their AirPods are connected.
For March, Adobe has not released any security updates -- a rare occurrence, but we may see an update from them later on this month. Check out last month’s breakdown for coverage of February’s security updates from Adobe, Microsoft and more.
Critical updates from Microsoft
All told, Microsoft has released a whopping 26 critical security updates for March -- but there are a few notable vulnerabilities to take a look at:
CVE-2020-0824 is a remote code execution vulnerability which occurs when Internet Explorer fails to access objects in memory correctly. Attackers can potentially exploit this vulnerability by convincing users to visit malicious websites or view malicious content. If successfully exploited, attackers can then use this vulnerability to run arbitrary code within the context of the current user. If the user has administrative privileges, an attacker can potentially seize control of the victim system -- allowing them to install programs, view or change data, and create new user accounts. Ultimately, what this means is that an attacker can use this vulnerability to run malicious code on a victim system. The patch corrects this by changing how Internet Explorer accesses objects in memory.
CVE-2020-0833 is another remote code execution vulnerability, which occurs in the way Internet Explorer’s scripting engine handles objects in memory. Malicious actors can exploit this vulnerability by designing specially crafted websites for targeting this bug in Internet Explorer. If successful, attackers can then gain control of the victim system and run arbitrary code within the rights of the current user. If the attackers can obtain administrative rights, they can install new programs, change or delete data and create new user accounts. This month’s security update fixes the issue by correcting how the scripting engine handles objects in memory.
CVE-2020-0847 is a remote code execution vulnerability which exists in the way VBScript engine handles objects in memory. Attackers can potentially exploit this vulnerability by tricking users into viewing or visiting maliciously designed websites, web content, or documents. In other words, it is a strong contender for phishing attacks.
If successful, attackers can then use this vulnerability to seize control of the victim system within the context of the current user. If the user has administrative privileges, the malicious actors can then view, change or delete data, install programs, and create new user accounts. The update from Microsoft resolves this issue by correcting how VBScript engine handles objects in memory.
This month’s security update from Microsoft contains a lot of similar-looking vulnerabilities. For example, there are six remote code execution vulnerabilities in ChakraCore scripting engine: CVE-2020-0825, -0826, -0827, -0828, -0829 and -0831.
While March is not the most ground-breaking Patch Tuesday we’ve ever seen, it is a heavyweight when it comes to busywork. With 115 patches in total, Windows admins are going to have their work cut out for them.
Fixes from Mozilla Firefox
For March, Mozilla has released Firefox 74. The newest version of the web browser fixes five critical security flaws found in 73 -- including a bug that could allow attackers to hack into your smartphone. The vulnerability, known as “CVE-2020-6812,” targets iPhone users and gives malicious actors access to data linked to connected AirPods.
Richard Melick, senior technical product manager here at Automox, shared in an article for ThreatPost: “While none have been seen exploited in the wild yet, the time to weaponization averages 7 days. And with Firefox’s increasing market growth in the enterprise market, leaving any devices unpatched could lead to a security incident. This security flaw could expose users’ names without their knowledge. Websites with microphone or camera access can gather information on the user through their connected AirPods.”
Mozilla noted that AirPods are automatically named after the user after being connected to a device. But when users log into websites with camera or microphone permissions, those sites are able to decipher device names -- leaving the user’s name exposed.
Fortunately, Firefox 74 takes care of this issue. The latest version of Firefox also resolves several other vulnerabilities involving memory corruption or privilege escalation. These include:
While there is no update from Adobe this month (so far), this month’s security update will certainly be a busy one. Deploying patches as effectively and efficiently as possible every month is a key step in maintaining good cyber hygiene practices. Employing a regular patching schedule is a crucial element of cyber security for organizations of every size.
About Automox Automated Patch Management
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.