Microsoft Multiple Products Critical Vulnerabilities Threat Alert

Microsoft Multiple Products Critical Vulnerabilities Threat Alert

February 26, 2020 | Mina Hao

Vulnerability Description

On February 12, 2020, Microsoft released February security update that fixed 100 security issues, including critical vulnerabilities like privilege escalation and remote code execution, found in Internet Explorer, Microsoft Edge, Microsoft Exchange Server, Microsoft Office, and other widely used applications.

Of vulnerabilities addressed in this security update, the local privilege escalation vulnerability (CVE-2020-0683) in Windows Installer is rated critical and its proof of concept (PoC) has been made publicly available. Also, the Microsoft Internet Explorer Remote Code Execution 0-Day vulnerability (CVE-2020-0674) released by Microsoft on January 17, 2020 is also fixed in this security update. This vulnerability has been found exploited in the wild. Affected users should apply the security update as soon as possible for protection. For the detailed vulnerability list, please see the appendix.

For details of these vulnerabilities, visit the following link:

https://portal.msrc.microsoft.com/zh-cn/security-guidance/releasenotedetail/2020-Feb

Major Vulnerabilities

Microsoft’s this monthly security update fixes 12 critical vulnerabilities and 88 important vulnerabilities. Following are vulnerabilities that have an extensive impact. Affected users should pay special attention to them.

Windows

  • CVE-2020-0683

A privilege escalation vulnerability exists in the Windows Installer when MSI packages process symbolic link. An attacker who successfully exploited this vulnerability could add or delete files by bypassing access restrictions.

To exploit this vulnerability, the attacker must first log in to the system and run a specially designed application that could exploit this vulnerability to add or delete files.

The security update addresses the vulnerability by modifying how reparse points are handled by the Windows Installer.

Currently, the PoC of this vulnerability is publicly available. The following screenshot shows the vulnerability exploitation success.

  • CVE-2020-0662

A remote code execution vulnerability exists in the way Windows handles objects in memory. An attacker who successfully exploits this vulnerability could execute arbitrary code on the target system with elevated privileges.

To exploit this vulnerability, an attacker with a domain user account, via a specially crafted request, allows Windows to execute arbitrary code with escalated privileges.

For details on this vulnerability and security update download, refer to Microsoft’s official security bulletin at the following link:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0662

Microsoft Scripting Engine

  • CVE-2020-0673, CVE-2020-0674

Microsoft released a security bulletin to announce the discovery of the CVE-2020-0674 vulnerability in Internet Explorer, noting that this vulnerability is found exploited in the wild. This security bulletin only provides applicable workarounds and mitigations. This security update, however, adds patches to address this vulnerability.

A remote code execution vulnerability exists in the way the scripting engine handles memory objects in the Internet Explorer.

An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-in user. Microsoft indicates that if a user logs in with administrative user rights, an attacker who successfully exploits this vulnerability could take full control of the affected system. After that, the attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website and entice users to access this website. However, the attacker cannot force users to view malicious contents, and therefore usually trick users through emails or instant messages. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.

Internet Explorer 9, 10, and 11 are affected by this vulnerability.

For details on this vulnerability and security update download, refer to Microsoft’s official security bulletin at the following link:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0673

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0674

  • CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, CVE-2020-0767

A remote code execution vulnerability exists in the way the ChakraCore scripting engine handles objects in memory. An attacker who successfully exploits this vulnerability could gain the same user rights as the logged-in user.

For details on this vulnerability and security update download, refer to Microsoft’s official security bulletin at the following link:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0710

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0711

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0712

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0713

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0767

RDP

  • CVE-2020-0681, CVE-2020-0734

These are two remote code execution vulnerabilities in Windows Remote Desktop Client.

An attacker who successfully exploits this vulnerability could execute arbitrary code on the user’s computer that is connected to the malicious server. After that, the attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, the attacker could first control the server and entice users to connect to the server. A user that accesses this malicious server could trigger this vulnerability. An attacker, though unable to force users to connect to the malicious server, persuade them to connect the users through social engineering, DNS poisoning, or man-in-the-middle attacks. Also, the attacker could compromise the legitimate server and host malicious code on it, waiting for users to connect to it.

For details on this vulnerability and security update download, refer to Microsoft’s official security bulletin at the following link:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0681

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0734

LNK

  • CVE-2020-0729

This is a remote code execution vulnerability in Microsoft Windows. Microsoft Windows, when handling .LNK files, could trigger remote code execution.

An attacker who successfully exploits this vulnerability could gain the same user rights as the logged-in user.

The attacker could provide the user a removable drive or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive (or remote share) in Windows Explorer or any other application that parses the .LNK file, the malicious binary will execute code of the attacker’s choice on the target system.

For details on this vulnerability and security update download, refer to Microsoft’s official security bulletin at the following link:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0729

Media Foundation

  • CVE-2020-0738

Windows Media Foundation is prone to a memory corruption vulnerability when improperly handling objects in memory.

An attacker who successfully exploits this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights.

An attacker could exploit this vulnerability in various ways, for example, convincing users to open a crafted document or a malicious web page.

For details on this vulnerability and security update download, refer to Microsoft’s official security bulletin at the following link:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0738

Mitigation

Security Update

Currently, Microsoft has released security updates to fix the preceding vulnerabilities in system versions maintained by Microsoft. Affected users should apply these fixes as soon as possible for protection. These fixes are available at the following link:

https://portal.msrc.microsoft.com/zh-cn/security-guidance

Note: Your Windows Update may fail to update your Windows due to reasons like network issues and computer environment issues. After applying the security update, you should check whether the update succeeds in time.

Right-click the Windows icon and choose Settings > Update & Security > Windows Update to view information on this page or click View Update History to view historical updates.

For updates that are not applied successfully, you can click the update name to open Microsoft’s official download page and click the corresponding link on this page to download the update package on the Microsoft Update Catalog website and install it.

Appendix: Vulnerability List

Vulnerable Product CVE ID Vulnerability Title Severity Level
Adobe Flash Player ADV200003 February 2020 Adobe Flash Security Update Important
Internet Explorer CVE-2020-0673 Scripting Engine Memory Corruption Vulnerability Critical
Internet Explorer CVE-2020-0674 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Edge CVE-2020-0663 Microsoft Edge Privilege Escalation Vulnerability Important
Microsoft Edge CVE-2020-0706 Microsoft Browser Information Disclosure Vulnerability Important
Microsoft Exchange Server CVE-2020-0688 Microsoft Exchange Memory Corruption Vulnerability Important
Microsoft Exchange Server CVE-2020-0696 Microsoft Outlook Security Feature Bypass Vulnerability Important
Microsoft Exchange Server CVE-2020-0692 Microsoft Exchange Server Privilege Escalation Vulnerability Important
Microsoft Graphics Component CVE-2020-0745 Windows Graphics Component Privilege Escalation Vulnerability Important
Microsoft Graphics Component CVE-2020-0746 Microsoft Graphics Components Information Disclosure Vulnerability Important
Microsoft Graphics Component CVE-2020-0792 Windows Graphics Component Privilege Escalation Vulnerability Important
Microsoft Graphics Component CVE-2020-0709 DirectX Privilege Escalation Vulnerability Important
Microsoft Graphics Component CVE-2020-0714 DirectX Information Disclosure Vulnerability Important
Microsoft Graphics Component CVE-2020-0715 Windows Graphics Component Privilege Escalation Vulnerability Important
Microsoft Graphics Component CVE-2020-0744 Windows GDI Information Disclosure Vulnerability Important
Microsoft Malware Protection Engine CVE-2020-0733 Windows Malicious Software Removal Tool Privilege Escalation Vulnerability Important
Microsoft Office CVE-2020-0695 Microsoft Office Online Server Spoofing Vulnerability Important
Microsoft Office CVE-2020-0697 Microsoft Office Tampering Vulnerability Important
Microsoft Office CVE-2020-0759 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office SharePoint CVE-2020-0693 Microsoft Office SharePoint XSS Vulnerability Important
Microsoft Office SharePoint CVE-2020-0694 Microsoft Office SharePoint XSS Vulnerability Important
Microsoft Scripting Engine CVE-2020-0767 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0710 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0711 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0712 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0713 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Windows CVE-2020-0666 Windows Search Indexer Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0667 Windows Search Indexer Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0668 Windows Kernel Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0669 Windows Kernel Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0670 Windows Kernel Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0671 Windows Kernel Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0672 Windows Kernel Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0675 Windows Key Isolation Service Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0676 Windows Key Isolation Service Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0677 Windows Key Isolation Service Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0678 Windows Error Reporting Manager Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0679 Windows Function Discovery Service Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0680 Windows Function Discovery Service Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0681 Remote Desktop Client Remote Code Execution Vulnerability Critical
Microsoft Windows CVE-2020-0682 Windows Function Discovery Service Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0685 Windows COM Server Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0701 Windows Client License Service Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0727 Connected User Experiences and Telemetry Service Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0737 Windows Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0739 Windows Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0740 Connected Devices Platform Service Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0741 Connected Devices Platform Service Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0742 Connected Devices Platform Service Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0743 Connected Devices Platform Service Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0747 Windows Data Sharing Service Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0748 Windows Key Isolation Service Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0753 Windows Error Reporting Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0754 Windows Error Reporting Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0755 Windows Key Isolation Service Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0756 Windows Key Isolation Service Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0757 Windows SSH Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0657 Windows Common Log File System Driver Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0658 Windows Common Log File System Driver Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0659 Windows Data Sharing Service Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0698 Windows Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0703 Windows Backup Service Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0704 Windows Wireless Network Manager Privilege Escalation Vulnerability Important
Microsoft Windows CVE-2020-0732 DirectX Privilege Escalation Vulnerability Important
Microsoft Windows Search Component CVE-2020-0735 Windows Search Indexer Privilege Escalation Vulnerability Important
Remote Desktop Client CVE-2020-0734 Remote Desktop Client Remote Code Execution Vulnerability Critical
Secure Boot CVE-2020-0689 Windows Secure Boot Security Feature Bypass Vulnerability Important
SQL Server CVE-2020-0618 Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability Important
Windows Authentication Methods CVE-2020-0665 Active Directory Privilege Escalation Vulnerability Important
Windows COM CVE-2020-0749 Connected Devices Platform Service Privilege Escalation Vulnerability Important
Windows COM CVE-2020-0750 Connected Devices Platform Service Privilege Escalation Vulnerability Important
Windows COM CVE-2020-0752 Windows Search Indexer Privilege Escalation Vulnerability Important
Windows Hyper-V CVE-2020-0661 Windows Hyper-V Denial-of-Service Vulnerability Important
Windows Hyper-V CVE-2020-0662 Windows Remote Code Execution Vulnerability Critical
Windows Hyper-V CVE-2020-0751 Windows Hyper-V Denial-of-Service Vulnerability Important
Windows Installer CVE-2020-0683 Windows Installer Privilege Escalation Vulnerability Important
Windows Installer CVE-2020-0686 Windows Installer Privilege Escalation Vulnerability Important
Windows Installer CVE-2020-0728 Windows Modules Installer Service Information Disclosure Vulnerability Important
Windows Kernel CVE-2020-0736 Windows Kernel Information Disclosure Vulnerability Important
Windows Kernel CVE-2020-0716 Win32k Information Disclosure Vulnerability Important
Windows Kernel CVE-2020-0717 Win32k Information Disclosure Vulnerability Important
Windows Kernel CVE-2020-0719 Win32k Privilege Escalation Vulnerability Important
Windows Kernel CVE-2020-0720 Win32k Privilege Escalation Vulnerability Important
Windows Kernel CVE-2020-0721 Win32k Privilege Escalation Vulnerability Important
Windows Kernel CVE-2020-0722 Win32k Privilege Escalation Vulnerability Important
Windows Kernel CVE-2020-0723 Win32k Privilege Escalation Vulnerability Important
Windows Kernel CVE-2020-0724 Win32k Privilege Escalation Vulnerability Important
Windows Kernel CVE-2020-0725 Win32k Privilege Escalation Vulnerability Important
Windows Kernel CVE-2020-0726 Win32k Privilege Escalation Vulnerability Important
Windows Kernel CVE-2020-0731 Win32k Privilege Escalation Vulnerability Important
Windows Kernel-Mode Drivers CVE-2020-0691 Win32k Privilege Escalation Vulnerability Important
Windows Media CVE-2020-0738 Media Foundation Memory Corruption Vulnerability Critical
Windows NDIS CVE-2020-0705 Windows Network Driver Interface Specification (NDIS) Information Disclosure Vulnerability Important
Windows RDP CVE-2020-0660 Windows Remote Desktop Protocol (RDP) Denial-of-Service Vulnerability Important
Windows Shell CVE-2020-0655 Remote Desktop Services Remote Code Execution Vulnerability Important
Windows Shell CVE-2020-0702 Surface Hub Security Feature Bypass Vulnerability Important
Windows Shell CVE-2020-0729 LNK Remote Code Execution Vulnerability Critical
Windows Shell CVE-2020-0730 Windows User Profile Service Privilege Escalation Vulnerability Important
Windows Shell CVE-2020-0707 Windows IME Privilege Escalation Vulnerability Important
Windows Update Stack CVE-2020-0708 Windows Imaging Library Remote Code Execution Vulnerability Important


Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Information Technology Co. Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.