It's Patch Tuesday : Time to secure your systems once again! To the delight of Sysadmins everywhere, the world of patching is not completely on fire for the first time in months. No zero days, no actively being exploited, none known before release. It is interesting how quickly you can adjust to 100+ exploits closed, 20+ of those being critical. I used to write these all aghast, with my fainting couch nearby, as I would talk about 3 digits of exploits and surely this is an outlier. Now look at me - talking about 129 CVE’s patched (23 critical)- and it feels like a big win that none of these had been publicly known or are being actively exploited.
Some Highlights (Or Lowlights)
CVE-2020-1252 - This one is a remote code execution bug that comes from how Windows handles memory. Some Jerk face could make an application, that if run, would allow them to take control of that system. Even creating new accounts that have full access.
CVE-2020-0908 - This is an exploit with the Windows Text Service Module. An attacker could create a website that is a user went to in Edge, and through that, get the ability to execute malicious code. This one would take some social engineering to get any type of access.
CVE-2020-1285 - This exploit is in Graphics Device Interface. It can be exploited through a file share or a corrupted website, but in both cases, it does require a user to interact with the bad file. If a user did click on such a file then the attacker would be able to run scripts or create a new user account with full access.
In Review
So here we are in our lull of doom. Breathe easy, laugh at the weak offering, maybe even dance for joy through the cubicles or front room, depending on where you are working from. Make sure you do still patch though. "Less critical" does not mean "no risk".
