Microsoft yesterday rolled out its March Patch Tuesday (2020) cumulative updates across its services. This was quite a heavy patch cycle that addresses a total of 115 vulnerabilities. Microsoft says 26 of those flaws are classed as critical.
Before getting into the details, it is worth noting that Microsoft Patch Tuesday events help to shore up services from vulnerabilities. For example, Microsoft patches against zero-days that either new or already exploited.
That makes Patch Tuesday essential in some cases. However, there has been an increasing issue where Microsoft patches are fixing one issue but causing others. We have seen this recently with a fix for Windows Search that has left users unable to boot their PCs.
Hopefully March Patch Tuesday will not bring any such problems.
In terms of fixes, this is quite a heavy rollout for Microsoft. The company says it solved 17 separate browser and scripting engine issues. If you a running a Microsoft browser, such as Chromium Edge, you should update at the nearest convenience.
RCE Flaws
Microsoft details three Remote Code Execution (RCE) vulnerabilities that it fixed. The first is CVE-2020-0852, which is a flaw found in Microsoft Word. If exploited, an attacker could execute malicious code. To do this, the user would need to open a file in an unpatched build of Microsoft Word.
Next up is CVE-2020-0872 which is a vulnerability in the Application Inspector (v1.0.23 or earlier).
“A remote code execution vulnerability exists in Application Inspector version v1.0.23 or earlier when the tool reflects example code snippets from third-party source files into its HTML output. An attacker who exploited it could send sections of the report containing code snippets to an external server,” Microsoft explains.
Finally Microsoft discusses CVE-2020-0905. The company says this is a vulnerability found in Dynamics Business Central and would give a bad actor the ability to execute arbitrary shell commands on a server.
