In January, Microsoft’s scheduled updates fixed numerous security flaws that included some few critical ones. However, with Microsoft February Patch Tuesday update bundle, the vendors address quite a bunch of critical vulnerabilities. It also addresses a zero-day bug in Internet Explorer.
Microsoft February Patch Tuesday Fixed IE Zero-Day
With February’s scheduled updates, Microsoft has patched a zero-day vulnerability affecting Internet Explorer. The vulnerability (CVE-2019-0676) allegedly existed due to improper object handling in memory. Describing the flaw in their advisory, Microsoft stated,
“An attacker who successfully exploited this vulnerability could test for the presence of files on disk. For an attack to be successful, an attacker must persuade a user to open a malicious website.”
As revealed, exploiting the bug could result in information disclosure. Microsoft confirms active exploits of the flaw. Therefore, the users must ensure updating their systems to the patched versions to avoid any chaos later.
76 Other Flaws Also Fixed Including 20 Critical Bugs
Apart from the zero-day, Microsoft has also fixed 76 other vulnerabilities together with 20 critical security flaws. These include 2 Microsoft SharePoint RCE flaws, 11 Scripting Engine Memory Corruption flaws in Microsoft Edge, 3 Microsoft Edge Memory Corruption vulnerabilities, 1 RCE flaw in Windows DHCP Server, 1 IE memory corruption vulnerability, and 2 GDI+ RCE flaws.
Besides, Microsoft has also fixed 54 important security flaws. Two of such vulnerabilities existed in Windows SMB (CVE-2019-0630 and CVE-2019-0633) server handling. Each of these could allow an attacker for remote code execution. Regarding the exploit, Microsoft stated in the advisories,
“A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2.0 (SMBv2) server handles certain requests… To exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv2 server.”
Whereas, the other Microsoft products receiving security fixes with this update bundle include Microsoft Windows, ChakraCore, MS Office and web apps, .NET Framework, Microsoft Dynamic, Microsoft Exchange Server, and a few others.