Microsoft today released security updates to fix a total of 115 new security vulnerabilities in various versions of its Windows operating system and related software—making March 2020 edition the biggest ever Patch Tuesday in the company’s history.
Of the 115 bugs spanning its various products — Microsoft Windows, Edge browser, Internet Explorer, Exchange Server, Office, Azure, Windows Defender, and Visual Studio — that received new patches, 26 have been rated as critical, 88 received a severity of important, and one is moderate in severity.
However, unlike last month, none of the vulnerabilities the tech giant patched this month are listed as being publicly known or under active attack at the time of release.
It’s worth highlighting that the patch addresses critical flaws that could be potentially exploited by bad actors to execute malicious code by specially crafted LNK files and word documents.
Titled “LNK Remote Code Execution Vulnerability” (CVE-2020-0684), the flaw allows an attacker to create malicious LNK shortcut files that can perform code execution.
“The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary,” Microsoft detailed in its advisory. “When the user opens this drive(or remote share) in Windows Explorer or any other application that parses the .LNK file, the malicious binary will execute code of the attacker’s choice on the target system.”
The other bug, Microsoft Word Remote Code Execution Vulnerability (CVE-2020-0852), allows the malware to execute code on a system by merely viewing a specially crafted Word file in the Preview Pane with the same permissions as the currently logged-on user. Microsoft has warned that Microsoft Outlook Preview Pane is also an attack vector for this vulnerability.
Elsewhere, the Redmond-based company also issued fixes for remote code execution vulnerabilities tied to Internet Explorer (CVE-2020-0833, CVE-2020-0824), Chakra scripting engine (CVE-2020-0811), and Edge browser (CVE-2020-0816).
images from Hacker News