Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday March 17 2020, @10:01AM   Printer-friendly
from the patchwork-quilt dept.

Microsoft Patches 26 Critical Bugs in Big March Update:

Microsoft tackled 115 bug fixes as part of its March Patch Tuesday update – 26 rated critical and 88 rated medium severity. The bugs patched span its product catalog, from Azure DevOps to Windows 10.

This month's haul is notable in its quantity and that there are only a few stand-out bugs causing headaches for system administrators. Unlike last month, Microsoft did not report that any of its bugs were publicly known or under attack at the time it released its bulletin.

Within the mix of critical issues, Microsoft tacked three remote code execution vulnerabilities. Two are tied to Internet Explorer (CVE-2020-0833, CVE-2020-0824) and the third (CVE-2020-0847) to the VBscript scripting language used by Microsoft.

As for the two bugs in IE, researchers warned that either one could lead to code execution only if the victim was logged in with administrative rights.

"The vulnerabilities could corrupt memory allowing an attacker to execute arbitrary code in the context of the current user," wrote Richard Melick, Sr., technical product manager at Automox, in prepared analysis. "What this means is that an attacker could run malicious code directly on the user's system. If the user is logged in with administrative rights, those rights would extend to the code."

As for the VBscript bug, the researcher said, if an attacker was successful in commandeering the tool via code execution, it would allow an adversary to have sysadmin-like powers. That would allow them to run scripts and leverage software tools to control connected endpoints. "[It] will give the user complete control over many aspects of the device," Melick said.

As for the other critical bugs, 17 fixes are tied to Microsoft's browser and scripting engines, four are for Media Foundation, two are for GDI+ and the remaining three address potentially dangerous LNK files and Microsoft Word and Dynamics Business, points out Animesh Jain with Qualys' Patch Tuesday team.

Jain also singled out another remote code-execution vulnerability (CVE-2020-0852), this time in Microsoft Word. "An attacker could exploit the vulnerability using a specially crafted file to perform actions on behalf of the logged-in user with the same permissions as the current user," he noted.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Tuesday March 17 2020, @05:52PM (2 children)

    by Anonymous Coward on Tuesday March 17 2020, @05:52PM (#972364)

    I wonder when SoylentNews will stop covering an OS that no Soylentil uses, except for one editor.

  • (Score: 2) by Freeman on Wednesday March 18 2020, @04:56PM (1 child)

    by Freeman (732) on Wednesday March 18 2020, @04:56PM (#972816) Journal

    Yeah, SoylentNews users still play games and as such still use Windows, likely Windows 10. Since, that's the currently supported OS version.

    --
    Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
    • (Score: 0) by Anonymous Coward on Wednesday March 18 2020, @10:30PM

      by Anonymous Coward on Wednesday March 18 2020, @10:30PM (#972938)

      I seriously doubt this is true. It's the one guy!!! Micro$erf Marty!