Microsoft Issues March 2020 Updates to Patch 115 Security Flaws

Microsoft today released security updates to fix a total of
115 new security vulnerabilities in various versions of its Windows
operating system and related software—making March 2020 edition the
biggest ever Patch Tuesday in the company’s history.

Of the 115 bugs spanning its various products — Microsoft
Windows, Edge browser, Internet Explorer, Exchange Server, Office,
Azure, Windows Defender, and Visual Studio — that received new
patches, 26 have been rated as critical, 88 received a severity of
important, and one is moderate in severity.

However, unlike last
month, none of the vulnerabilities the tech giant patched this
month are listed as being publicly known or under active attack at
the time of release.
^[1]

It’s worth highlighting that the patch addresses critical flaws
that could be potentially exploited by bad actors to execute
malicious code by specially crafted LNK files and word documents.

Titled “LNK Remote Code Execution Vulnerability” (CVE-2020-0684^[2]), the flaw allows an
attacker to create malicious LNK shortcut files that can perform
code execution.

“The attacker could present to the user a removable drive, or
remote share, that contains a malicious .LNK file and an associated
malicious binary,” Microsoft detailed in its advisory. “When the
user opens this drive(or remote share) in Windows Explorer or any
other application that parses the .LNK file, the malicious binary
will execute code of the attacker’s choice on the target
system.”

The other bug, Microsoft Word Remote Code Execution
Vulnerability (CVE-2020-0852^[3]), allows the malware to
execute code on a system by merely viewing a specially crafted Word
file in the Preview Pane with the same permissions as the currently
logged-on user. Microsoft has warned that Microsoft Outlook Preview
Pane is also an attack vector for this vulnerability.

Elsewhere, the Redmond-based company also issued fixes for
remote code execution vulnerabilities tied to Internet Explorer
(CVE-2020-0833,
CVE-2020-0824),
Chakra scripting engine (CVE-2020-0811),
and Edge browser (CVE-2020-0816).
^[4][5][6][7]

One other bug worthy of note is CVE-2020-0765
impacting Remote Desktop Connection Manager (RDCMan), for which
there is no fix. “Microsoft is not planning on fixing this
vulnerability in RDCMan and has deprecated the application.
Microsoft recommends using supported Remote Desktop clients and
exercising caution when opening RDCMan configuration files (.rdg),”
the disclosure reads.

It’s recommended that users and system administrators test and
apply the latest security patches as soon as possible to prevent
malware or miscreants from exploiting them to gain complete, remote
control over vulnerable computers without any intervention.

For installing the latest security
updates^[9], Windows users can head
to Start > Settings > Update & Security > Windows Update,
or by selecting Check for Windows updates.

^[8]