Microsoft’s
February Patch Tuesday update was much more extensive then has been the norm
with 99 CVEs being revealed with 12 considered critical and one fixing a memory
corruption zero day in Internet Explorer that is being exploited in the wild.

February is also the first month that Microsoft did not issue a general update for Windows 7 and Server 2008 as each reached its end of service coverage in January. However, the company did post updates for those companies that arranged for an Extended Security Update for their software.

Ivanti’s Todd
Schell, senior product manager, security, said the fact that Microsoft included
these updates with their overall rollout could cause some confusion as some
admins and consumers may mistakenly believe they can fix any issues associated
with this now outdated software.

For those
whose only concern is with supported software, Schell noted most admins will
not have to do much, despite the high number of issues
this month, as the updates are pushed automatically. There is one caveat.

“SQL and
Exchange admins do get a bit of extra work this month as both of those products
are included in the updates released,” he said.

The most
prominent issue this month is CVE-2020-0674.

Microsoft issued
an advisory notice for CVE-2020-0674 in January
stating at the time it was aware of limited targeted attacks in a remote code
execution vulnerability in the scripting engine of Internet Explorer across all
versions of Windows that would let a hacker obtain the same rights as a current
user. CVE-2020-0674 is only rated a moderate threat, but Satnam Narang, senior
research engineer at Tenable, told SC Media it is important for organizations
to apply the patch as soon as possible.

Additional
high-priority critical vulnerabilities patched by Microsoft included CVE-2020-0662,
a remote code execution vulnerability exists in the way that Windows handles
objects in memory; CVE-2020-0681, a remote code execution vulnerability in the
Windows Remote Desktop Client that can be exploited when a user connects to a
malicious server; and CVE-2020-0729, a remote code execution vulnerability
exists in Microsoft Windows that could allow remote code execution if a .LNK
file is processed.

Jimmy Graham,
senior director of product management, vulnerability at Qualys, said that while
CVE-2020-0662 is labeled by Microsoft as less likely to be exploited, “this
vulnerability can be attacked over the network with no user interaction. The
impacted service is not stated in the bulletin. Based on the information given,
this should be prioritized across all Windows servers and workstations.”

CVE-2020-0688,
a remote code execution vulnerability in Microsoft Exchange, was picked by Allan
Liska, intelligence analyst at Recorded Future, for special consideration. He
noted that while it is only rated a important – and not critical – vulnerability
he believes it is particularly dangerous because it is likely to be exploited.

“The
vulnerability exists in the way Exchange handles objects in memory. A specially
crafted email would allow an attacker to exploit the Exchange Server and
execute arbitrary code. Microsoft identifies this vulnerability as likely to be
exploited,” Liska said.

Graham
explained that exploitation of the flaw would lead to arbitrary code execution
in the context of the System user, granting an attacker the ability to create a
new account, install programs, and view, change or delete data.