March 2020 Patch Tuesday Commentary

Microsoft has resolved 115 unique common vulnerabilities and exposures, 26 of which were rated as Critical.

Microsoft has resolved 115 unique common vulnerabilities and exposures (CVEs), 26 of which were rated as Critical. There are no publicly disclosed or known exploited vulnerabilities this month. Updates this month include Windows, Edge (HTML and Chromium), ChakraCore, Internet Explorer, Microsoft Exchange Server, Microsoft Office, Office Services and Web Apps, Azure DevOps, Windows Defender, Visual Studio, Open Source Software, Azure, and Microsoft Dynamics. The majority of the CVEs this month are in the Windows OS (79 CVEs) or the browsers (18 CVEs).

Microsoft has released servicing stack updates for most of the Windows OS versions. The only exceptions this month are Windows 10 version 1703, Server 2008 and Windows 7\2008 R2.

Microsoft has announced a vulnerability for Remote Desktop Connection Manager (CVE-2020-0765), but states they do not plan to release an update to fix the issue. The product has been deprecated. Their guidance is to use caution if you continue to use Remote Desktop Connection Manager, but Microsoft recommends moving to supported Remote Desktop clients.

Microsoft has resolved several information disclosure vulnerabilities in the Windows OS this month in components such as GDI, Windows Graphics Component, Win32k, Windows Modules Installer Service, Windows Network Driver Interface Specification, and Connected User Experiences and Telemetry Service. These vulnerabilities could allow attackers to read from the file system, uninitialized memory, or even memory contents in kernel space from a user mode process. A couple of these vulnerabilities could also allow an attacker to collect information that could allow them to predict addressing of memory.

A Microsoft Word remote code execution vulnerability (CVE-2020-0852) could be exploited through the Preview pane in Outlook making it a more interesting target for threat actors.

Mozilla has released updates for Firefox and Firefox ESR today resolving a total of 12 unique CVEs. Both are rated as High by Mozilla classification, one step below Critical, which is the most severe. The worst of these could allow for arbitrary code execution.

Ivanti’s recommendation is to focus on the Windows OS and browser updates along with Office as the top priorities this month.