Today’s VERT Alert addresses Microsoft’s February 2020 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-870 on Wednesday, February 12th. 

In-The-Wild & Disclosed CVEs

CVE-2020-0674

A vulnerability exists in the way that Internet Explorer’s scripting engine handles objects in memory. An attacker that successfully exploited this vulnerability would have would have the same access as the currently logged in user. This vulnerability has been publicly exploited.

Microsoft has rated this as a 0 (Exploitation Detected) on the latest software release on the Exploitability Index.

CVE-2020-0683 / CVE-2020-0686

A pair of vulnerabilities exist within the Windows Installer that could allow attackers to add or remove files from a system due to the way that symbolic links are processed within MSI packages. An attacker would need to be logged into the system and have a malicious application designed to target the vulnerability. These vulnerabilities has been publicly disclosed.

Microsoft has rated both CVE-2020-0683 and CVE-2020-0686 as a 2 (Exploitation Less Likely) on the latest software release on the Exploitability Index.

CVE-2020-0689

This publicly disclosed vulnerability in Microsoft Security Boot could allow an attacker by bypass secure boot and load untrusted software. It is important to pay attention to the FAQ for this vulnerability. The update is a standalone update (rare for Windows 10) and requires the November Servicing Stack Update be installed. Additionally, if you are using Windows Defender Credential Guard, multiple reboots will be required.

Microsoft has rated this as a 2 (Exploitation Less Likely) on the latest software release on the Exploitability Index.

CVE-2020-0706

A vulnerability in the handling of cross-origin requests in Microsoft browsers could allow an attacker to identify the origin of all web pages in the targeted browser. Successful exploitation would require that the victim accesses attacker controlled content. The vulnerability was addressed by changing how browsers handle cross-origin requests. This vulnerability has been publicly disclosed.

Microsoft has rated this as a 2 (Exploitation Less Likely) on the latest software release on the Exploitability Index.

CVE Breakdown by Tag

While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis.

Tag
CVE Count
CVEs
Windows Hyper-V
3
CVE-2020-0661, CVE-2020-0662, CVE-2020-0751
Microsoft Windows
38
CVE-2020-0666, CVE-2020-0667, CVE-2020-0668, CVE-2020-0669, CVE-2020-0670, CVE-2020-0671, CVE-2020-0672, CVE-2020-0675, CVE-2020-0676, CVE-2020-0677, CVE-2020-0678, CVE-2020-0679, CVE-2020-0680, CVE-2020-0681, CVE-2020-0682, CVE-2020-0685, CVE-2020-0701, CVE-2020-0727, CVE-2020-0737, CVE-2020-0739, CVE-2020-0740, CVE-2020-0741, CVE-2020-0742, CVE-2020-0743, CVE-2020-0747, CVE-2020-0748, CVE-2020-0753, CVE-2020-0754, CVE-2020-0755, CVE-2020-0756, CVE-2020-0757, CVE-2020-0657, CVE-2020-0658, CVE-2020-0659, CVE-2020-0698, CVE-2020-0703, CVE-2020-0704, CVE-2020-0732
Microsoft Malware Protection Engine
1
CVE-2020-0733
Microsoft Edge
2
CVE-2020-0663, CVE-2020-0706
Windows Media
1
CVE-2020-0738
Windows Installer
3
CVE-2020-0683, CVE-2020-0686, CVE-2020-0728
Windows NDIS
1
CVE-2020-0705
Internet Explorer
2
CVE-2020-0673, CVE-2020-0674
Microsoft Scripting Engine
5
CVE-2020-0767, CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713
Microsoft Office SharePoint
2
CVE-2020-0693, CVE-2020-0694
SQL Server
1
CVE-2020-0618
Microsoft Graphics Component
7
CVE-2020-0745, CVE-2020-0746, CVE-2020-0792, CVE-2020-0709, CVE-2020-0714, CVE-2020-0715, CVE-2020-0744
Windows Kernel
12
CVE-2020-0736, CVE-2020-0716, CVE-2020-0717, CVE-2020-0719, CVE-2020-0720, CVE-2020-0721, CVE-2020-0722, CVE-2020-0723, CVE-2020-0724, CVE-2020-0725, CVE-2020-0726, CVE-2020-0731
Secure Boot
1
CVE-2020-0689
Microsoft Exchange Server
3
CVE-2020-0688, CVE-2020-0696, CVE-2020-0692
Windows Shell
5
CVE-2020-0655, CVE-2020-0702, CVE-2020-0729, CVE-2020-0730, CVE-2020-0707
Microsoft Office
3
CVE-2020-0695, CVE-2020-0697, CVE-2020-0759
Microsoft Windows Search Component
1
CVE-2020-0735
Windows RDP
1
CVE-2020-0660
Windows Authentication Methods
1
CVE-2020-0665
Windows Update Stack
1
CVE-2020-0708
Windows Kernel-Mode Drivers
1
CVE-2020-0691
Remote Desktop Client
1
CVE-2020-0734
Windows COM
3
CVE-2020-0749, CVE-2020-0750, CVE-2020-0752

 

Other Information

In addition to the Microsoft vulnerabilities included in the February Security Guidance, an advisory were released today.

February 2020 Adobe Flash Security Update [ADV200003]

Microsoft has released an advisory for Adobe Security Bulletin APSB20-06. This advisory contains updates for CVE-2020-3757.