Updated on March 12, 2020, 10:30 P.M. Eastern time with information about the SMBv3 vulnerability.
Following the unexpectedly long list of fixes included in last month’s Patch Tuesday, March brings an even longer one, albeit less eventful. A total of 115 vulnerabilities were fixed, 26 of which were identified as Critical as they could lead to remote code execution (RCE). 88 were classified as Important and included patches for various Windows components such as Microsoft Office, Work Folders, and Network Connections Service. One final vulnerability was classified as Moderate. None of this month’s listed vulnerabilities were exploited in the wild before they were patched this month; seven of the vulnerabilities were disclosed via the Zero Day Initiative.
In addition to the above fixes, a separate vulnerability in SMBv3 was disclosed and patched on March 12. Updates from Microsoft are now available to fix this particular issue, which affects both SMB clients and servers.
The most notable vulnerabilities patched this month include an RCE flaw in how .LNK files are handled, as well as a vulnerability in Microsoft Word that can be triggered via the Preview Pane. Here’s a closer look at the major vulnerabilities addressed this month:
CVE-2020-0684 is an RCE vulnerability that could allow remote code execution via specially crafted .LNK files when they are processed. LNK bugs have gotten a lot of press in the past, and deservedly so. Successfully exploiting this vulnerability could give attackers the same user rights as the local user. This type of attack could lead to victims losing control over a system or its individual components and having their sensitive data stolen. It is worth noting that last month's patches also included a fix for another LNK handling vulnerability.
Microsoft Word Vulnerability
Vulnerabilities in various Microsoft Office products feature in every Patch Tuesday. However, CVE-2020-0852 stands out because this Microsoft Word vulnerability can be triggered simply by viewing a specially crafted file in the Preview Pane. This lowers the boundary to successful exploitation of this vulnerability, which would give the attacker the same level of access as the logged-in user.
CVE-2020-0796 is a vulnerability in how the SMBv3 protocol handles certain requests. As such, it is present in both the SMB server and client. For servers, an attacker could trigger it by sending a specially crafted packet to the target server. SMB clients could trigger the vulnerability by connecting to a malicious server. In either case, exploitation could lead to remote code execution on the target device.
Trend Micro Solutions
Installing Trend Micro™ Deep Security™ and Vulnerability Protection or similar solutions can protect users from threats that target the vulnerabilities in this month’s patch list. Affected installations will be updated to minimize disruptions and ensure that critical applications and sensitive enterprise data stay protected. The following rules have been released to cover the appropriate vulnerabilities:
- 1010186 - Microsoft Internet Explorer VBScript Remote Code Execution Vulnerability (CVE-2020-0824)
- 1010187 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-0832)
- 1010188 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-0833)
- 1010189 - Microsoft Internet Explorer VBScript Remote Code Execution Vulnerability (CVE-2020-0847)
- 1010192 - Microsoft Windows SMBv3 Remote Code Execution Vulnerability
- 37268: HTTP: Microsoft Internet Explorer Remote Code Execution Vulnerability
- 37269: HTTP: Microsoft Scripting Engine Memory Corruption Vulnerability
- 37270: HTTP: Microsoft Windows Script Engine Memory Corruption Vulnerability
- 37271: HTTP: Microsoft Windows ADO Memory Corruption Vulnerability
- 37290: SMB: Microsoft Windows SMBv3 Client/Server Buffer Overflow Vulnerability