Microsoft leaves critical bug unpatched on Patch Tuesday

Microsoft fixed bugs across a range of products on March’s Patch Tuesday, releasing patches for 115 distinct CVEs, with 26 rated critical.

All of the critical bugs related to remote code execution (RCE), and all of them stemmed from flaws in memory management.

The critical bug that cropped up in the most CVEs was in ChakraCore, the scripting engine that handles just-in-time compilation for its browsers. It’s a bug in the scripting engine’s object memory management that could corrupt memory to let an attacker execute their own code on the user’s behalf.

An attacker might exploit this bug by persuading the victim to visit a website, which could be a third-party site containing user-generated content like a blog comment or forum post. The attacker could also send them an ActiveX control in an Office document that uses the scripting engine. These bugs affected ChakraCore across 12 CVEs, which between them impacted Microsoft Edge and IE 11.

Microsoft detailed a similar object memory handling bug in Edge itself (CVE-2020-0816), along with four other similar CVEs in various areas of Internet Explorer 11 that included a bug in its VBScript engine.

The company also reported critical bugs in several versions of Windows. A flaw in the Windows Graphics Device Interface enables an attacker to control the system with full user rights; and a memory corruption bug in Windows Media Foundation, which is a COM-based multimedia framework pipeline and infrastructure platform for digital media in Windows. It’s exploitable via a malicious document or web page. This bug covers versions of Windows from 1607 through to 2019 Server and Server Core.

Another object memory management bug (CVE-2020-0852), this time in Microsoft Word, is exploitable via a malicious Word file, or by having the victim visit a website. It allows the attacker to run code as the user, and it’s also exploitable via the Outlook preview pane, Microsoft warned.

A final critical flaw (CVE-2020-0905) affects users of Dynamics NAV from 2013 up, along with Dynamics 365 BC On-Premise and Business Central 2019. This one allows attackers to execute code on the victim’s server by connecting a malicious Dynamics Business Central client.

Critical unpatched bug

One thing that wasn’t fixed in the collection of patches was a critical bug in Microsoft SMB servers that is triggered by a maliciously crafted data packet. News of the flaw appeared on some vendor pages on Tuesday, with the ID CVE-2020-0796, before being swiftly removed.

Microsoft has since issued an advisory for this flaw that says it affects Windows 10 release 1909 and Windows Server Core. There is no patch yet, but admins can disable SMBv3 compression and block port 445 on enterprise firewalls, Microsoft said.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.