February Patch Tuesday: When it rains, it pours

February Patch Tuesday: When it rains, it pours

February Patch Tuesday: When it rains, it pours

24th February, 2020

Following on from January’s stormy sea of updates (see Cryp32.dll flaw) February has arrived with a flood of almost 100 vulnerabilities being addressed, more than double the normal amount.

12 have been branded as “Critical” severity, with 1, an Internet Explorer flaw, earning the infamous Zero Day moniker.

CVE-2020-0674 | Scripting Engine Memory Corruption Vulnerability

This Zero Day vulnerability could provide an attacker with the same access as the attacked user. It can be exploited by well known methods such as:

  • Tricking a user to visit a fake version of a website.
  • Compromising legitimate websites
  • Embedding an ActiveX control in a document that leverages IE

The update addresses this vulnerability by modify how the scripting engine handles objects in Internet Explorer memory.

Other browsers with security updates this month include Microsoft Edge along with Mozilla’s Firefox and Thunderbird products.

There are 16 Remote Code Execution vulnerabilities being addressed this month. 2 of which (CVE-2020-0681 and CVE-2020-0734) are further flaws within Windows Remote Desktop. Other Windows updates include patches for Office, Edge, Exchange and SQL.

This is also the first month that Windows 7 will not receive patches owing to it going end of life in January. Microsoft advise anyone still using Windows 7 to upgrade to a supported operating system as a matter of urgency in order to maintain security and stability.

Adobe have again released numerous fixes this month, this time addressing 17 CVEs for Acrobat and Reader and 1 for Flash player.

Finally Options Enterprise Patch Management partner Ivanti are strongly recommending installing numerous other “Critical” patches released this month. https://www.ivanti.com/blog/february-patch-tuesday-2020.

Patrick Collins, Vulnerability Management

Options works closely with clients to actively patch any and all vulnerabilities – it is imperative that operating systems and 3rd party software products are kept up to date. Security doesn’t end with vulnerability patching; well-trained employees and a strong supporting security team are also essential. We continuously roll out rigorous training programs alongside numerous platform security enhancements, in addition to new cybersecurity initiatives to safeguard our clients’ data. For the latest on our Security, Intelligence and Analytics product offering, download our product sheet here.

Leave a Reply

Your email address will not be published. Required fields are marked *