Security News > 2020 > February > IE zero day and heap of RDP flaws fixed in February Patch Tuesday
The fix is part of the February Patch Tuesday update that features a record 99 security vulnerabilities including 12 marked as 'critical' and 87 'important'.
The first indication of the IE zero-day, now identified as CVE-2020-0674, appeared when Mozilla fixed a very similar issue in Firefox on 8 January, less than two days after the appearance of version 72.
The attacks were reported to Mozilla by a third party which, in a later deleted reference, mentioned that the same issue also affected IE. On 17 January, Microsoft issued its own alert regarding the Scripting Engine memory corruption flaw, citing IE's Enhanced Security Configuration protection as mitigation against attacks.
Another critical is CVE-2020-0738 - a memory corruption flaw in Windows Media Foundation, while CVE-2020-0689, marked important, could offer attackers a way around Microsoft Secure Boot.
Adobe's February update features 42 CVEs, including 21 criticals in Framemaker alone.
News URL
Related news
- Microsoft May 2024 Patch Tuesday fixes 3 zero-days, 61 flaws (source)
- May 2024 Patch Tuesday: Microsoft fixes exploited zero-days (CVE-2024-30051, CVE-2024-30040) (source)
- April 2024 Patch Tuesday forecast: New and old from Microsoft (source)
- Microsoft April 2024 Patch Tuesday fixes 150 security flaws, 67 RCEs (source)
- Microsoft Fixes 149 Flaws in Huge April Patch Release, Zero-Days Included (source)
- CrushFTP warns users to patch exploited zero-day “immediately” (source)
- May 2024 Patch Tuesday forecast: A reminder of recent threats and impact (source)
- Chrome Zero-Day Alert — Update Your Browser to Patch New Vulnerability (source)
- Week in review: Veeam fixes RCE flaw in backup management platform, Patch Tuesday forecast (source)
- Apple backports iOS zero-day patch, adds Bluetooth tracker alert (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-02-11 | CVE-2020-0674 | Use After Free vulnerability in Microsoft Internet Explorer 10/11/9 A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. | 7.6 |
2020-02-11 | CVE-2020-0689 | Improper Input Validation vulnerability in Microsoft products A security feature bypass vulnerability exists in secure boot, aka 'Microsoft Secure Boot Security Feature Bypass Vulnerability'. | 4.6 |
2020-02-11 | CVE-2020-0738 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft products A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory, aka 'Media Foundation Memory Corruption Vulnerability'. | 9.3 |