Today’s VERT Alert addresses Microsoft’s February 2020 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-870 on Wednesday, February 12th.
In-The-Wild & Disclosed CVEs
CVE-2020-0674
A vulnerability exists in the way that Internet Explorer’s scripting engine handles objects in memory. An attacker that successfully exploited this vulnerability would have would have the same access as the currently logged in user. This vulnerability has been publicly exploited. Microsoft has rated this as a 0 (Exploitation Detected) on the latest software release on the Exploitability Index.
CVE-2020-0683 / CVE-2020-0686
A pair of vulnerabilities exist within the Windows Installer that could allow attackers to add or remove files from a system due to the way that symbolic links are processed within MSI packages. An attacker would need to be logged into the system and have a malicious application designed to target the vulnerability. These vulnerabilities has been publicly disclosed. Microsoft has rated both CVE-2020-0683 and CVE-2020-0686 as a 2 (Exploitation Less Likely) on the latest software release on the Exploitability Index.
CVE-2020-0689
This publicly disclosed vulnerability in Microsoft Security Boot could allow an attacker by bypass secure boot and load untrusted software. It is important to pay attention to the FAQ for this vulnerability. The update is a standalone update (rare for Windows 10) and requires the November Servicing Stack Update be installed. Additionally, if you are using Windows Defender Credential Guard, multiple reboots will be required. Microsoft has rated this as a 2 (Exploitation Less Likely) on the latest software release on the Exploitability Index.
CVE-2020-0706
A vulnerability in the handling of cross-origin requests in Microsoft browsers could allow an attacker to identify the origin of all web pages in the targeted browser. Successful exploitation would require that the victim accesses attacker controlled content. The vulnerability was addressed by changing how browsers handle cross-origin requests. This vulnerability has been publicly disclosed. Microsoft has rated this as a 2 (Exploitation Less Likely) on the latest software release on the Exploitability Index.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis.
Tag |
CVE Count |
CVEs |
Windows Hyper-V |
3 |
CVE-2020-0661, CVE-2020-0662, CVE-2020-0751 |
Microsoft Windows |
38 |
CVE-2020-0666, CVE-2020-0667, CVE-2020-0668, CVE-2020-0669, CVE-2020-0670, CVE-2020-0671, CVE-2020-0672, CVE-2020-0675, CVE-2020-0676, CVE-2020-0677, CVE-2020-0678, CVE-2020-0679, CVE-2020-0680, CVE-2020-0681, CVE-2020-0682, CVE-2020-0685, CVE-2020-0701, CVE-2020-0727, CVE-2020-0737, CVE-2020-0739, CVE-2020-0740, CVE-2020-0741, CVE-2020-0742, CVE-2020-0743, CVE-2020-0747, CVE-2020-0748, CVE-2020-0753, CVE-2020-0754, CVE-2020-0755, CVE-2020-0756, CVE-2020-0757, CVE-2020-0657, CVE-2020-0658, CVE-2020-0659, CVE-2020-0698, CVE-2020-0703, CVE-2020-0704, CVE-2020-0732 |
Microsoft Malware Protection Engine |
1 |
CVE-2020-0733 |
Microsoft Edge |
2 |
CVE-2020-0663, CVE-2020-0706 |
Windows Media |
1 |
CVE-2020-0738 |
Windows Installer |
3 |
CVE-2020-0683, CVE-2020-0686, CVE-2020-0728 |
Windows NDIS |
1 |
CVE-2020-0705 |
Internet Explorer |
2 |
CVE-2020-0673, CVE-2020-0674 |
Microsoft Scripting Engine |
5 |
CVE-2020-0767, CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713 |
Microsoft Office SharePoint |
2 |
CVE-2020-0693, CVE-2020-0694 |
SQL Server |
1 |
CVE-2020-0618 |
Microsoft Graphics Component |
7 |
CVE-2020-0745, CVE-2020-0746, CVE-2020-0792, CVE-2020-0709, CVE-2020-0714, CVE-2020-0715, CVE-2020-0744 |
Windows Kernel |
12 |
CVE-2020-0736, CVE-2020-0716, CVE-2020-0717, CVE-2020-0719, CVE-2020-0720, CVE-2020-0721, CVE-2020-0722, CVE-2020-0723, CVE-2020-0724, CVE-2020-0725, CVE-2020-0726, CVE-2020-0731 |
Secure Boot |
1 |
CVE-2020-0689 |
Microsoft Exchange Server |
3 |
CVE-2020-0688, CVE-2020-0696, CVE-2020-0692 |
Windows Shell |
5 |
CVE-2020-0655, CVE-2020-0702, CVE-2020-0729, CVE-2020-0730, CVE-2020-0707 |
Microsoft Office |
3 |
CVE-2020-0695, CVE-2020-0697, CVE-2020-0759 |
Microsoft Windows Search Component |
1 |
CVE-2020-0735 |
Windows RDP |
1 |
CVE-2020-0660 |
Windows Authentication Methods |
1 |
CVE-2020-0665 |
Windows Update Stack |
1 |
CVE-2020-0708 |
Windows Kernel-Mode Drivers |
1 |
CVE-2020-0691 |
Remote Desktop Client |
1 |
CVE-2020-0734 |
Windows COM |
3 |
CVE-2020-0749, CVE-2020-0750, CVE-2020-0752 |
Other Information
In addition to the Microsoft vulnerabilities included in the February Security Guidance, an advisory were released today.
February 2020 Adobe Flash Security Update [ADV200003]
Microsoft has released an advisory for Adobe Security Bulletin APSB20-06. This advisory contains updates for CVE-2020-3757.