- Microsoft has released this month’s security patch, and it’s a pretty big one, addressing 117 flaws.
- Thankfully, there are no zero-day flaws in there, but you are still advised to apply the patch immediately.
- This is the first patch that doesn’t bring any fixes for Windows 7.
Microsoft has released this month’s patch for Windows and other products of the company, fixing a total of 117 vulnerabilities. Interestingly enough, 25 of the now-fixed flaws are categorized as “critical”, while 91 are classified as “important”. None of these flaws were under active exploitation by malicious actors, but it is advisable to apply the patches as quickly as you can to mitigate the risk of getting hacked.
Below is a selection of the most important flaws and vulnerabilities that were addressed by Microsoft via this month’s patch.
- CVE-2020-0684: Remote code execution (RCE) flaw based on the opening of a specially crafted “.LNK” file containing a malicious binary.
- CVE-2020-0801, CVE-2020-0807, CVE-2020-0809, and CVE-2020-0869: Memory corruption vulnerabilities plaguing the Microsoft Media Foundation. Based on the opening of a specially crafted file or website, leading to creating new accounts, accessing data, and even installing additional programs.
- CVE-2020-0823, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829, CVE-2020-0831, CVE-2020-0832, CVE-2020-0833, and CVE-2020-0848: Memory corruption flaws in the ChakraCore scripting engine, enabling an attacker to execute arbitrary code by posing as the legitimate user.
- CVE-2020-0824 and CVE-2020-0847: Social-engineering-based remote code execution (RCE) vulnerabilities in the VBScript engine. It presupposes the act of convincing the victim to visit a specially crafted website or to open a Microsoft Office document that hosts the Internet Explorer rendering engine.
- CVE-2020-0881 and CVE-2020-0883: Remote code execution flaws in the GDI+, based on convincing the victim to open a specially crafted website or a malicious document.
- CVE-2020-0850, CVE-2020-0851, CVE-2020-0852, and CVE-2020-0855: Remote code execution vulnerabilities of Microsoft Word, based on the opening of a malicious document.
- CVE-2020-0761: Elevation of privilege flaw that concerns Microsoft Office, and which is based on the replacement of a legitimate file with a specially crafted one in order to create a memory corruption state.
In most of the above cases, the attackers would send malicious files or URLs via email messages to the victims. Thus, you are advised to be careful when receiving unsolicited messages, and also to apply the available patches soon.
If you are using Windows 7, this is the first patch that isn’t available to you, so you’re already vulnerable to these 117 identified and fixed flaws. In any case, you should not refrain from using a security suite from a reliable vendor, as well as to update all applications and components of the software you’re using.