Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Members of public are advised to stay vigilant and not follow any instructions given by these scammers. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Advisories
  4. Microsoft February 2020 Patch Tuesday
Advisory

Microsoft February 2020 Patch Tuesday

12 February 2020

Background
Microsoft has released security patches to address 99 vulnerabilities affecting its Operating System (OS) and other related products.

The following vulnerabilities were rated critical and require immediate attention:
•    CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, CVE-2020-0767 - These vulnerabilities exist in the way the scripting engine handles objects in memory in Internet Explorer (IE) and Microsoft Edge. The vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. Successful exploitation of these vulnerabilities could allow an attacker to gain the same user rights as the current user and take control of the affected system.
•    CVE-2020-0681, CVE-2020-0734 - These vulnerabilities exists when Windows Remote Desktop Client connects to a malicious server. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code on the computer of the connecting client.
•    CVE-2020-0662 - This vulnerability exists in the way Windows handles objects in memory. Successful exploitation of this vulnerability could allow an attacker with access to a domain user account to execute arbitrary code with administrator privileges on the host OS.
•    CVE-2020-0738 - This vulnerability exists when Windows Media Foundation improperly handles objects in memory. Successful exploitation of this vulnerability could allow an attacker to install programmes; view, change, or delete data; or create new accounts with full user rights.
•    CVE-2020-0729 - This vulnerability exists in Microsoft Windows when a .LNK file is processed. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the host OS.

This release also includes a security update for CVE-2020-0674, a zero-day remote code execution vulnerability in IE. Microsoft reported that the vulnerability was exploited in limited targeted attacks: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001.

For the full list of security patches released by Microsoft, please visit https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Feb.

Affected Products
Microsoft’s release contains updates for the following:

•    Microsoft Windows
•    Microsoft Edge (EdgeHTML-based)
•    Microsoft Edge (Chromium-based)
•    ChakraCore
•    Internet Explorer
•    Microsoft Exchange Server
•    Microsoft SQL Server
•    Microsoft Office and Microsoft Office Services and Web Apps
•    Windows Malicious Software Removal Tool
•    Windows Surface Hub

Impact
Successful exploitation of these critical vulnerabilities could allow attackers to perform remote code execution and take control of the affected systems to perform malicious activities, including unauthorised installation of programmes, the creation of rogue administrator accounts and the ability to view, change, or delete data.

Recommendation
Users and system administrators of affected products are strongly encouraged to install the security updates immediately.

References

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2019-Dec
https://www.bleepingcomputer.com/news/microsoft/microsofts-december-2019-patch-tuesday-fixes-win32k-zero-day-36-flaws/

https://www.zdnet.com/article/microsoft-december-2019-patch-tuesday-plugs-windows-zero-day/