Vulnerability Description
On February 12, 2020, Microsoft released February security update that fixed 100 security issues, including critical vulnerabilities like privilege escalation and remote code execution, found in Internet Explorer, Microsoft Edge, Microsoft Exchange Server, Microsoft Office, and other widely used applications.
Of vulnerabilities addressed in this security update, the local privilege escalation vulnerability (CVE-2020-0683) in Windows Installer is rated critical and its proof of concept (PoC) has been made publicly available. Also, the Microsoft Internet Explorer Remote Code Execution 0-Day vulnerability (CVE-2020-0674) released by Microsoft on January 17, 2020 is also fixed in this security update. This vulnerability has been found exploited in the wild. Affected users should apply the security update as soon as possible for protection. For the detailed vulnerability list, please see the appendix.
For details of these vulnerabilities, visit the following link:
https://portal.msrc.microsoft.com/zh-cn/security-guidance/releasenotedetail/2020-Feb
Major Vulnerabilities
Microsoft’s this monthly security update fixes 12 critical vulnerabilities and 88 important vulnerabilities. Following are vulnerabilities that have an extensive impact. Affected users should pay special attention to them.
Windows
- CVE-2020-0683
A privilege escalation vulnerability exists in the Windows Installer when MSI packages process symbolic link. An attacker who successfully exploited this vulnerability could add or delete files by bypassing access restrictions.
To exploit this vulnerability, the attacker must first log in to the system and run a specially designed application that could exploit this vulnerability to add or delete files.
The security update addresses the vulnerability by modifying how reparse points are handled by the Windows Installer.
Currently, the PoC of this vulnerability is publicly available. The following screenshot shows the vulnerability exploitation success.
- CVE-2020-0662
A remote code execution vulnerability exists in the way Windows handles objects in memory. An attacker who successfully exploits this vulnerability could execute arbitrary code on the target system with elevated privileges.
To exploit this vulnerability, an attacker with a domain user account, via a specially crafted request, allows Windows to execute arbitrary code with escalated privileges.
For details on this vulnerability and security update download, refer to Microsoft’s official security bulletin at the following link:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0662
Microsoft Scripting Engine
- CVE-2020-0673, CVE-2020-0674
Microsoft released a security bulletin to announce the discovery of the CVE-2020-0674 vulnerability in Internet Explorer, noting that this vulnerability is found exploited in the wild. This security bulletin only provides applicable workarounds and mitigations. This security update, however, adds patches to address this vulnerability.
A remote code execution vulnerability exists in the way the scripting engine handles memory objects in the Internet Explorer.
An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-in user. Microsoft indicates that if a user logs in with administrative user rights, an attacker who successfully exploits this vulnerability could take full control of the affected system. After that, the attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted website and entice users to access this website. However, the attacker cannot force users to view malicious contents, and therefore usually trick users through emails or instant messages. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.
Internet Explorer 9, 10, and 11 are affected by this vulnerability.
For details on this vulnerability and security update download, refer to Microsoft’s official security bulletin at the following link:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0673
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0674
- CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, CVE-2020-0767
A remote code execution vulnerability exists in the way the ChakraCore scripting engine handles objects in memory. An attacker who successfully exploits this vulnerability could gain the same user rights as the logged-in user.
For details on this vulnerability and security update download, refer to Microsoft’s official security bulletin at the following link:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0710
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0711
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0712
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0713
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0767
RDP
- CVE-2020-0681, CVE-2020-0734
These are two remote code execution vulnerabilities in Windows Remote Desktop Client.
An attacker who successfully exploits this vulnerability could execute arbitrary code on the user’s computer that is connected to the malicious server. After that, the attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, the attacker could first control the server and entice users to connect to the server. A user that accesses this malicious server could trigger this vulnerability. An attacker, though unable to force users to connect to the malicious server, persuade them to connect the users through social engineering, DNS poisoning, or man-in-the-middle attacks. Also, the attacker could compromise the legitimate server and host malicious code on it, waiting for users to connect to it.
For details on this vulnerability and security update download, refer to Microsoft’s official security bulletin at the following link:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0681
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0734
LNK
- CVE-2020-0729
This is a remote code execution vulnerability in Microsoft Windows. Microsoft Windows, when handling .LNK files, could trigger remote code execution.
An attacker who successfully exploits this vulnerability could gain the same user rights as the logged-in user.
The attacker could provide the user a removable drive or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive (or remote share) in Windows Explorer or any other application that parses the .LNK file, the malicious binary will execute code of the attacker’s choice on the target system.
For details on this vulnerability and security update download, refer to Microsoft’s official security bulletin at the following link:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0729
Media Foundation
- CVE-2020-0738
Windows Media Foundation is prone to a memory corruption vulnerability when improperly handling objects in memory.
An attacker who successfully exploits this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights.
An attacker could exploit this vulnerability in various ways, for example, convincing users to open a crafted document or a malicious web page.
For details on this vulnerability and security update download, refer to Microsoft’s official security bulletin at the following link:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0738
Mitigation
Security Update
Currently, Microsoft has released security updates to fix the preceding vulnerabilities in system versions maintained by Microsoft. Affected users should apply these fixes as soon as possible for protection. These fixes are available at the following link:
https://portal.msrc.microsoft.com/zh-cn/security-guidance
Note: Your Windows Update may fail to update your Windows due to reasons like network issues and computer environment issues. After applying the security update, you should check whether the update succeeds in time.
Right-click the Windows icon and choose Settings > Update & Security > Windows Update to view information on this page or click View Update History to view historical updates.
For updates that are not applied successfully, you can click the update name to open Microsoft’s official download page and click the corresponding link on this page to download the update package on the Microsoft Update Catalog website and install it.
Appendix: Vulnerability List
Vulnerable Product | CVE ID | Vulnerability Title | Severity Level |
Adobe Flash Player | ADV200003 | February 2020 Adobe Flash Security Update | Important |
Internet Explorer | CVE-2020-0673 | Scripting Engine Memory Corruption Vulnerability | Critical |
Internet Explorer | CVE-2020-0674 | Scripting Engine Memory Corruption Vulnerability | Critical |
Microsoft Edge | CVE-2020-0663 | Microsoft Edge Privilege Escalation Vulnerability | Important |
Microsoft Edge | CVE-2020-0706 | Microsoft Browser Information Disclosure Vulnerability | Important |
Microsoft Exchange Server | CVE-2020-0688 | Microsoft Exchange Memory Corruption Vulnerability | Important |
Microsoft Exchange Server | CVE-2020-0696 | Microsoft Outlook Security Feature Bypass Vulnerability | Important |
Microsoft Exchange Server | CVE-2020-0692 | Microsoft Exchange Server Privilege Escalation Vulnerability | Important |
Microsoft Graphics Component | CVE-2020-0745 | Windows Graphics Component Privilege Escalation Vulnerability | Important |
Microsoft Graphics Component | CVE-2020-0746 | Microsoft Graphics Components Information Disclosure Vulnerability | Important |
Microsoft Graphics Component | CVE-2020-0792 | Windows Graphics Component Privilege Escalation Vulnerability | Important |
Microsoft Graphics Component | CVE-2020-0709 | DirectX Privilege Escalation Vulnerability | Important |
Microsoft Graphics Component | CVE-2020-0714 | DirectX Information Disclosure Vulnerability | Important |
Microsoft Graphics Component | CVE-2020-0715 | Windows Graphics Component Privilege Escalation Vulnerability | Important |
Microsoft Graphics Component | CVE-2020-0744 | Windows GDI Information Disclosure Vulnerability | Important |
Microsoft Malware Protection Engine | CVE-2020-0733 | Windows Malicious Software Removal Tool Privilege Escalation Vulnerability | Important |
Microsoft Office | CVE-2020-0695 | Microsoft Office Online Server Spoofing Vulnerability | Important |
Microsoft Office | CVE-2020-0697 | Microsoft Office Tampering Vulnerability | Important |
Microsoft Office | CVE-2020-0759 | Microsoft Excel Remote Code Execution Vulnerability | Important |
Microsoft Office SharePoint | CVE-2020-0693 | Microsoft Office SharePoint XSS Vulnerability | Important |
Microsoft Office SharePoint | CVE-2020-0694 | Microsoft Office SharePoint XSS Vulnerability | Important |
Microsoft Scripting Engine | CVE-2020-0767 | Scripting Engine Memory Corruption Vulnerability | Critical |
Microsoft Scripting Engine | CVE-2020-0710 | Scripting Engine Memory Corruption Vulnerability | Critical |
Microsoft Scripting Engine | CVE-2020-0711 | Scripting Engine Memory Corruption Vulnerability | Critical |
Microsoft Scripting Engine | CVE-2020-0712 | Scripting Engine Memory Corruption Vulnerability | Critical |
Microsoft Scripting Engine | CVE-2020-0713 | Scripting Engine Memory Corruption Vulnerability | Critical |
Microsoft Windows | CVE-2020-0666 | Windows Search Indexer Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0667 | Windows Search Indexer Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0668 | Windows Kernel Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0669 | Windows Kernel Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0670 | Windows Kernel Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0671 | Windows Kernel Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0672 | Windows Kernel Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0675 | Windows Key Isolation Service Information Disclosure Vulnerability | Important |
Microsoft Windows | CVE-2020-0676 | Windows Key Isolation Service Information Disclosure Vulnerability | Important |
Microsoft Windows | CVE-2020-0677 | Windows Key Isolation Service Information Disclosure Vulnerability | Important |
Microsoft Windows | CVE-2020-0678 | Windows Error Reporting Manager Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0679 | Windows Function Discovery Service Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0680 | Windows Function Discovery Service Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0681 | Remote Desktop Client Remote Code Execution Vulnerability | Critical |
Microsoft Windows | CVE-2020-0682 | Windows Function Discovery Service Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0685 | Windows COM Server Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0701 | Windows Client License Service Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0727 | Connected User Experiences and Telemetry Service Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0737 | Windows Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0739 | Windows Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0740 | Connected Devices Platform Service Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0741 | Connected Devices Platform Service Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0742 | Connected Devices Platform Service Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0743 | Connected Devices Platform Service Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0747 | Windows Data Sharing Service Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0748 | Windows Key Isolation Service Information Disclosure Vulnerability | Important |
Microsoft Windows | CVE-2020-0753 | Windows Error Reporting Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0754 | Windows Error Reporting Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0755 | Windows Key Isolation Service Information Disclosure Vulnerability | Important |
Microsoft Windows | CVE-2020-0756 | Windows Key Isolation Service Information Disclosure Vulnerability | Important |
Microsoft Windows | CVE-2020-0757 | Windows SSH Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0657 | Windows Common Log File System Driver Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0658 | Windows Common Log File System Driver Information Disclosure Vulnerability | Important |
Microsoft Windows | CVE-2020-0659 | Windows Data Sharing Service Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0698 | Windows Information Disclosure Vulnerability | Important |
Microsoft Windows | CVE-2020-0703 | Windows Backup Service Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0704 | Windows Wireless Network Manager Privilege Escalation Vulnerability | Important |
Microsoft Windows | CVE-2020-0732 | DirectX Privilege Escalation Vulnerability | Important |
Microsoft Windows Search Component | CVE-2020-0735 | Windows Search Indexer Privilege Escalation Vulnerability | Important |
Remote Desktop Client | CVE-2020-0734 | Remote Desktop Client Remote Code Execution Vulnerability | Critical |
Secure Boot | CVE-2020-0689 | Windows Secure Boot Security Feature Bypass Vulnerability | Important |
SQL Server | CVE-2020-0618 | Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability | Important |
Windows Authentication Methods | CVE-2020-0665 | Active Directory Privilege Escalation Vulnerability | Important |
Windows COM | CVE-2020-0749 | Connected Devices Platform Service Privilege Escalation Vulnerability | Important |
Windows COM | CVE-2020-0750 | Connected Devices Platform Service Privilege Escalation Vulnerability | Important |
Windows COM | CVE-2020-0752 | Windows Search Indexer Privilege Escalation Vulnerability | Important |
Windows Hyper-V | CVE-2020-0661 | Windows Hyper-V Denial-of-Service Vulnerability | Important |
Windows Hyper-V | CVE-2020-0662 | Windows Remote Code Execution Vulnerability | Critical |
Windows Hyper-V | CVE-2020-0751 | Windows Hyper-V Denial-of-Service Vulnerability | Important |
Windows Installer | CVE-2020-0683 | Windows Installer Privilege Escalation Vulnerability | Important |
Windows Installer | CVE-2020-0686 | Windows Installer Privilege Escalation Vulnerability | Important |
Windows Installer | CVE-2020-0728 | Windows Modules Installer Service Information Disclosure Vulnerability | Important |
Windows Kernel | CVE-2020-0736 | Windows Kernel Information Disclosure Vulnerability | Important |
Windows Kernel | CVE-2020-0716 | Win32k Information Disclosure Vulnerability | Important |
Windows Kernel | CVE-2020-0717 | Win32k Information Disclosure Vulnerability | Important |
Windows Kernel | CVE-2020-0719 | Win32k Privilege Escalation Vulnerability | Important |
Windows Kernel | CVE-2020-0720 | Win32k Privilege Escalation Vulnerability | Important |
Windows Kernel | CVE-2020-0721 | Win32k Privilege Escalation Vulnerability | Important |
Windows Kernel | CVE-2020-0722 | Win32k Privilege Escalation Vulnerability | Important |
Windows Kernel | CVE-2020-0723 | Win32k Privilege Escalation Vulnerability | Important |
Windows Kernel | CVE-2020-0724 | Win32k Privilege Escalation Vulnerability | Important |
Windows Kernel | CVE-2020-0725 | Win32k Privilege Escalation Vulnerability | Important |
Windows Kernel | CVE-2020-0726 | Win32k Privilege Escalation Vulnerability | Important |
Windows Kernel | CVE-2020-0731 | Win32k Privilege Escalation Vulnerability | Important |
Windows Kernel-Mode Drivers | CVE-2020-0691 | Win32k Privilege Escalation Vulnerability | Important |
Windows Media | CVE-2020-0738 | Media Foundation Memory Corruption Vulnerability | Critical |
Windows NDIS | CVE-2020-0705 | Windows Network Driver Interface Specification (NDIS) Information Disclosure Vulnerability | Important |
Windows RDP | CVE-2020-0660 | Windows Remote Desktop Protocol (RDP) Denial-of-Service Vulnerability | Important |
Windows Shell | CVE-2020-0655 | Remote Desktop Services Remote Code Execution Vulnerability | Important |
Windows Shell | CVE-2020-0702 | Surface Hub Security Feature Bypass Vulnerability | Important |
Windows Shell | CVE-2020-0729 | LNK Remote Code Execution Vulnerability | Critical |
Windows Shell | CVE-2020-0730 | Windows User Profile Service Privilege Escalation Vulnerability | Important |
Windows Shell | CVE-2020-0707 | Windows IME Privilege Escalation Vulnerability | Important |
Windows Update Stack | CVE-2020-0708 | Windows Imaging Library Remote Code Execution Vulnerability | Important |
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Information Technology Co. Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.