Microsoft’s March 2020 Patch Tuesday cycle is a heavy one, as it includes updates for a total of 115 vulnerabilities. A total of 26 security flaws are flagged with a critical severity ratings.
Out of the 26 critical vulnerabilities, no less than 17 affect browser and scripting engines, so if you’re using Microsoft’s browsers, the best advice is to patch as soon as possible.
There are three Remote Code Execution, or RCE, flaws that are resolved this month.
First and foremost, it’s CVE-2020-0852, a vulnerability in Microsoft Word that would allow an attacker to execute malicious code on behalf of the user. To exploit this flaw, a malicious actor needs to convince the user to open a crafted file using an unpatched version of Microsoft Word. The vulnerable versions are Microsoft Office 2016 for Mac, Microsoft Office 2019, Microsoft Office Online Server, and Microsoft SharePoint Server 2019.
No failed installs
Then, it’s an RCE flaw in Application Inspector tracked as CVE-2020-0872.
“A remote code execution vulnerability exists in Application Inspector version v1.0.23 or earlier when the tool reflects example code snippets from third-party source files into its HTML output. An attacker who exploited it could send sections of the report containing code snippets to an external server,” Microsoft explains.
The third RCE affects Dynamics Business Central and is detailed in CVE-2020-0905. Microsoft says an attacker that manages to compromise an unpatched host could then execute arbitrary shell commands on victim’s server.
On Windows 10 devices, all these patches are bundled with the latest cumulative updates, available both on Windows Update and on Microsoft’s Update Catalog. Given the big number of patched vulnerabilities, users are recommended to install the new updates as soon as possible.
There are no reports of failed installs or botched updates so far.