The first Patch Tuesday of 2020 in January brought an unusually long list of patches, but February brings an even wider range of fixes that address a total of 99 vulnerabilities — including 12 classified as Critical, with the remaining 99 deemed Important. Only five of the vulnerabilities were made public before the patches were released; one of these was rated as Critical.
New Critical vulnerabilities of note include Remote Code Execution (RCE) flaws in both .LNK handling and Remote Desktop that could allow attackers to gain full user rights when exploited. This type of attack could lead to loss of control over a system or its individual components, as well as theft of sensitive data. A vulnerability in the legacy Trident-based Internet Explorer browser is the only Critical vulnerability that was reported as being exploited in the wild.
On the other hand, privilege escalation vulnerabilities have always been a common threat, but the number (55) this month is staggering. Hackers use a number of ways to exploit vulnerabilities this way, such as manipulating access tokens, bypassing user account control, or hijacking a DLL search order.
Here’s a closer look at the notable vulnerabilities that have been patched this month:
Scripting Engine Memory Corruption Vulnerability
CVE-2020-0674 is a vulnerability in how the Trident rendering engine handles objects in memory. An attacker could use this flaw to run code with the same privileges as the logged in user. Using Internet Explorer is not necessary to trigger this flaw; other methods (such as specially crafted Office documents) can be used. This flaw was first noted by Microsoft in february patch tuesday fixes critical trident vulnerabilities
