Microsoft corrected nearly a century of CVE this month, although experts note that the workload for management should not be too high. Of the 99 vulnerabilities corrected this month, 12 important CVEs, one of which is Day Zero and four others are publicly disclosed, and therefore, should be given priority.
The zero-day exploitation in nature is CVE-2020-0674, as the script engine fails to execute remote code in Internet Explorer to manipulate objects in memory. By hosting a site designed specifically to exploit the bug, the hacker can obtain the same rights as the current user. Other notable serious errors include CVE-2020-0729, which is the risk of remote code execution in how Microsoft handles LNK files.
“Microsoft believes that exploiting risks is unlikely; however, a similar threat was discovered by CVE-2019-1280 last year, with a Trojan assistant that was actively exploited in September,” Recorded Future said important solutions architect Allan Liska said. He emphasized CVE-2020-0662, an RCE vulnerability which will enable any user using a website name to perform arbitrary code in the victim’s system in elevated transparency,” utilizing a specially crafted bundle.
This affects Windows 7 and Server 2008, which are no longer supported, as well as later versions. Todd Schell, Ivanti chief product manager, has argued that updating an operating system or browser “could reduce most of the risks this month”, despite the heavy loads of the patch.
“The good news is that for 99 CVE organizers this month, a lot doesn’t really mean a lot of work,” he added. “In general, updates are still in effect. Operating systems, browsers and Office will fix most of their vulnerabilities by Microsoft. MySQL and Exchange administrators are working a little more this month, and the latest release has been published. Information includes both products.” Meanwhile, Adobe resolved 17 CVEs to get Adobe Reader and Acrobat (APSB20-05), for example, 12 significant ones, and also yet another essential CVE to get Flash participant (APSB20-06).