Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday March 17 2020, @10:01AM   Printer-friendly
from the patchwork-quilt dept.

Microsoft Patches 26 Critical Bugs in Big March Update:

Microsoft tackled 115 bug fixes as part of its March Patch Tuesday update – 26 rated critical and 88 rated medium severity. The bugs patched span its product catalog, from Azure DevOps to Windows 10.

This month's haul is notable in its quantity and that there are only a few stand-out bugs causing headaches for system administrators. Unlike last month, Microsoft did not report that any of its bugs were publicly known or under attack at the time it released its bulletin.

Within the mix of critical issues, Microsoft tacked three remote code execution vulnerabilities. Two are tied to Internet Explorer (CVE-2020-0833, CVE-2020-0824) and the third (CVE-2020-0847) to the VBscript scripting language used by Microsoft.

As for the two bugs in IE, researchers warned that either one could lead to code execution only if the victim was logged in with administrative rights.

"The vulnerabilities could corrupt memory allowing an attacker to execute arbitrary code in the context of the current user," wrote Richard Melick, Sr., technical product manager at Automox, in prepared analysis. "What this means is that an attacker could run malicious code directly on the user's system. If the user is logged in with administrative rights, those rights would extend to the code."

As for the VBscript bug, the researcher said, if an attacker was successful in commandeering the tool via code execution, it would allow an adversary to have sysadmin-like powers. That would allow them to run scripts and leverage software tools to control connected endpoints. "[It] will give the user complete control over many aspects of the device," Melick said.

As for the other critical bugs, 17 fixes are tied to Microsoft's browser and scripting engines, four are for Media Foundation, two are for GDI+ and the remaining three address potentially dangerous LNK files and Microsoft Word and Dynamics Business, points out Animesh Jain with Qualys' Patch Tuesday team.

Jain also singled out another remote code-execution vulnerability (CVE-2020-0852), this time in Microsoft Word. "An attacker could exploit the vulnerability using a specially crafted file to perform actions on behalf of the logged-in user with the same permissions as the current user," he noted.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Tuesday March 17 2020, @11:50AM (7 children)

    by Anonymous Coward on Tuesday March 17 2020, @11:50AM (#972141)

    Is this why when I declined an update yesterday, windows kept annoying me every hour until, when I told it to stop annoying me it said "ok I'll just pick a time then", after which I could no longer change that option.

    I'd love to strangle whoever designed the Windows 10 update messages.

  • (Score: 0) by Anonymous Coward on Tuesday March 17 2020, @12:07PM (6 children)

    by Anonymous Coward on Tuesday March 17 2020, @12:07PM (#972144)

    I wonder when my Win7 system will be pwned.

    • (Score: 2) by Gaaark on Tuesday March 17 2020, @01:02PM (4 children)

      by Gaaark (41) on Tuesday March 17 2020, @01:02PM (#972168) Journal

      I wonder when people will dump Windows.

      --
      --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
      • (Score: 2) by RS3 on Tuesday March 17 2020, @03:08PM (3 children)

        by RS3 (6367) on Tuesday March 17 2020, @03:08PM (#972250)

        I wonder when people will dump Windows.

        Linus wondered that 30 years ago. Still wondering...

        I have several Linux machines, one I really like, and I admin several live Linux servers. But my day-to-day computer use is mostly Windows- 7 and XP. I have 1 machine with W10 but I haven't even fired it up in many months. I'm sure it will take a day or so to update itself when I finally get around to plugging it in.

        One conundrum I have with Linux desktop: the many many options are great, but when I finally get something that's familiar, comfortable, works well, it's now "deprecated" (like Windows).

        My favorite system is Slackware 14.1, XFCE, KDE libs and many KDE apps, but NOT the whole of KDE environment. Ugh.

        Notice I wrote "Slackware 14.1". After almost 4 years, 14.2 is still the stable release. Many things just didn't work, or not well, or struggled to get working, and I gave up on it.

        Point is, there are too many options and changes even for us geeks. General public just don't want all of that. They need something simple, consistent, that works.

        • (Score: 0) by Anonymous Coward on Tuesday March 17 2020, @05:52PM (2 children)

          by Anonymous Coward on Tuesday March 17 2020, @05:52PM (#972364)

          I wonder when SoylentNews will stop covering an OS that no Soylentil uses, except for one editor.

          • (Score: 2) by Freeman on Wednesday March 18 2020, @04:56PM (1 child)

            by Freeman (732) on Wednesday March 18 2020, @04:56PM (#972816) Journal

            Yeah, SoylentNews users still play games and as such still use Windows, likely Windows 10. Since, that's the currently supported OS version.

            --
            Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
            • (Score: 0) by Anonymous Coward on Wednesday March 18 2020, @10:30PM

              by Anonymous Coward on Wednesday March 18 2020, @10:30PM (#972938)

              I seriously doubt this is true. It's the one guy!!! Micro$erf Marty!

    • (Score: 2) by Freeman on Wednesday March 18 2020, @04:29PM

      by Freeman (732) on Wednesday March 18 2020, @04:29PM (#972800) Journal

      Considering that Win7 isn't getting any security updates as of:

      Windows 7 support ended on January 14, 2020

      https://support.microsoft.com/en-us/help/4057281/windows-7-support-ended-on-january-14-2020 [microsoft.com]

      I would say, your system is likely able to be pwned now, but may not be pwned yet.

      --
      Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"