Massive Patch Tuesday resolves nearly 100 security flaws

Feb 12, 2020 09:29 GMT  ·  By

The February 2019 Microsoft Patch Tuesday brings patches for a total of 99 vulnerabilities in products developed by the software giant, including for 12 security flaws rated as critical.

No less than 7 of the 12 critical vulnerabilities affect browsers and scripting engines, while 2 concern the Remote Desktop Client. Businesses are recommended to prioritize the deployment of these patches first.

One particular highlight this month is the scripting engine memory corruption vulnerability in Internet Explorer. Tracked as CVE-2020-0674, this security flaw is already being actively exploited in the wild, with Microsoft warning that a successful attack could give a cybercriminal full control of a compromised host.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website,” Microsoft says.

“An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”

Windows RCE vulnerability

Internet Explorer 9, 10, and 11 are all affected on Windows 7, Windows 8.1, and Windows 10, and users are recommended to deploy the patch as soon as possible.

Windows is also affected by a remote code execution flaw that would provide an attacker with elevated permissions on an unpatched device.

The vulnerability is flagged with a critical severity rating, and Microsoft says Windows 7, 8.1, and 10 are all exposed to such attacks. This bug, however, isn’t actively exploited, and Microsoft says exploitation is less likely in this case.

Windows 10 devices are getting all updates released this Patch Tuesday as part of the cumulative updates shipped through Windows Update.