The February 2019 Microsoft Patch Tuesday brings patches for a total of 99 vulnerabilities in products produced by the software giant, including for 12 security flaws rated as critical.
No less than 7 from the 12 critical vulnerabilities affect browsers and scripting engines, while 2 concern the Remote Desktop Client. Businesses are recommended to prioritize the deployment of those patches first.
One particular highlight this month is the scripting engine memory corruption vulnerability in Ie. Tracked as CVE-2020-0674, this security flaw is already being actively exploited within the wild, with Microsoft warning that a successful attack could provide a cybercriminal full control of a compromised host.
“In a web-based attack scenario, an attacker could host an exclusively crafted website that is designed to exploit the vulnerability through Ie after which convince a person to view the website,” Microsoft says.
“An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. The attacker may also make the most of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”
Windows RCE vulnerability
Windows can also be affected by a remote code execution flaw that will offer an attacker with elevated permissions with an unpatched device.
The vulnerability is flagged having a critical severity rating, and Microsoft says Windows 7, 8.1, and 10 are exposed to such attacks. This bug, however, isn’t actively exploited, and Microsoft says exploitation is not as likely in this instance.
Windows 10 devices are getting all updates released this Patch Tuesday included in the cumulative updates shipped through Windows Update.