Microsoft's Patch Tuesday security update for February 2020 has fixed 99 common vulnerabilities and exposures (CVEs), including the CVE-2020-0674 vulnerability in Internet Explorer.
Released on 11 February, the bumper crop of security fixes contained updates for for a number of Microsoft products.
Of particular note is the CVE-2020-0674 vulnerability in Internet Explorer, which was first discovered on 17 January 2020. If left unpatched, attackers can exploit the browser's scripting engine to corrupt memory and execute arbitrary code, according to Microsoft.
This can allow an attacker to gain the same user rights as a user. If that user has administration rights, the attacker can gain control of a system and install or remove data as they pleased.
The exploit can be hosted on a website as content and advertisements or through applications and Microsoft Office documents that use Internet Explorer’s rendering engine, but can only affect those that view affected content.
The list of affected Microsoft products include Microsoft Windows, Microsoft Edge (both EdgeHTML- and Chromium-based iterations), ChakraCore, Internet Explorer, Microsoft Exchange Server, Microsoft SQL Server, Microsoft Office and Microsoft Office Services and Web Apps, Windows Malicious Software Removal Tool and Windows Surface Hub.
In addition to the 99 CVEs addressed, February 2020’s Patch Tuesday also contained the ADV200003 security update for Adobe Flash Player, which can also exploit vulnerabilities through content or advertisements.
Further details on the full list of CVEs and the ADV addressed by February 2020’s Patch Tuesday can be found at the Microsoft Security Response Center.