It's time for another Patch Tuesday! This year has been crazy for security updates. January started us off with CVE-2020-0601, a zero-day so bad the NSA chose to tell us about it. February had a staggering 99 security patches, with 12 of them being considered critical. You probably thought we would end the first quarter with a quiet month. Prepare to be disappointed.
March brings patches for 115 CVEs, with 26 of them being deemed critical. On the bright side, none have been exploited, which is a massive improvement over last month, when 5 were known, with 1 already exploited. It seems we have a fun trend where we are closing more CVEs but with less threat each month. By December's Patch Tuesday we will close 346 CVEs, but none will be rated over moderate. Enough about my amateur reading of trends! Let's dive into some of the more intriguing things that are getting patched today.
CVE-2020-0852 - Hackers can create a specially crafted file in Microsoft Word that would allow them to perform actions as the current user. This exploit requires someone clicking on a link or opening a corrupt document, so it looks like all of your end-user training about spotting a scam is going to pay some dividends!
CVE-2020-0684 - When it comes to this many CVEs, you are bound to rehash some of the classics. The vulnerability allows an attacker to give the user a shared drive with a malicious .LNK file. When opened in Windows Explorer it will parse the bad file and execute code of the attacker's choice. We saw something very similar in February in CVE-2020-0729.
CVE-2020-0816 - This is a vulnerability for Microsoft Edge. It could corrupt memory in a way that would allow an attacker to run code in the context of the current user. If the user has admin rights, they could take control of the affected system.
Outside of these three, we have patching for Exchange, Windows Defender, Visual Studio, and Azure DevOps. With a large number of the critical being based on web browsers. A large number of patches are not ideal, but take comfort in the fact that none are considered public, and none have been exploited. As long as you are patching your systems, most of these will be fixed before they have a chance to impact your environment.
Since you are here reading about patching, I would recommend looking at PDQ Deploy and PDQ Inventory to help you get it done quickly and easily. It gives you the tools you need to get your systems quickly patched and will provide you with accurate reporting once it is done installing. Lex breaks down how to set this up to have it autopatch for you here.
I hope to see you all April 14th, let's dream of a peaceful and serene month where we buck the trend of increasing CVEs.