Author Topic: Microsoft March 2020 Security Updates  (Read 159 times)

0 Members and 1 Guest are viewing this topic.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19971
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Microsoft March 2020 Security Updates
« on: March 10, 2020, 04:38:34 PM »
The Microsoft March security updates have been released and consist of 115 CVEs. Of these 26 CVEs, rated Critical, 88 Important, and 1 rated Important in severity. None of the bugs being patched are listed as being publicly known or under active attack at the time of release.

The updates apply to the following:  Microsoft Windows, Microsoft Edge(EdgeHTML-based), Microsoft Edge (Chromium-based), ChakraCore, Internet Explorer, Microsoft Exchange Server, Microsoft Office and Microsoft Office Services and Web Apps, Azure DevOps, Windows Defender, Visual Studio, Open Source Software, Azure, and Microsoft Dynamics.

As of the time of this posting, Adobe has not released updates for Flash Player.

Recommended Reading:  See Dustin Childs review and analysis in Zero Day Initiative — The March 2020 Security Update Review.

March Security Updates Guide


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Digerati

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 1136
    • View Profile
Re: Microsoft March 2020 Security Updates
« Reply #1 on: March 10, 2020, 04:59:25 PM »
115 is a lot but I find it interesting and reassuring that none are publicly known or under active attack. While I don't know what all "active" implies, the fact none are publicly known suggests to me a pretty aggressive proactive approach by Microsoft to detect and fix bugs before they are discovered out in the wild. I see that as a very good thing.
Bill (AFE7Ret)
Freedom is NOT Free!
2007 - 2018

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19971
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Microsoft March 2020 Security Updates
« Reply #2 on: March 10, 2020, 05:34:13 PM »
While I don't know what all "active" implies
Here is an example from the February security updates of an active attack:  CVE-2020-0674 | Scripting Engine Memory Corruption Vulnerability.  According to the analysis by Dustin Childs in Zero Day Initiative — The February 2020 Security Update Review,

Quote
Even if you don’t use IE, you could still be affected by this bug though embedded objects in Office documents. Considering the listed workaround – disabling jscript.dll – breaks a fair amount of functionality, you should prioritize the testing and deployment of this patch.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline winchester73

  • Half a bubble off plumb
  • Administrator
  • Hero Member
  • *****
  • Posts: 7274
  • Liverpool FC - YNWA
    • View Profile
Re: Microsoft March 2020 Security Updates
« Reply #3 on: March 10, 2020, 05:48:16 PM »
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member

Offline Digerati

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 1136
    • View Profile
Re: Microsoft March 2020 Security Updates
« Reply #4 on: March 10, 2020, 06:29:24 PM »
Quote
Here is an example from the February security updates of an active attack
Thanks for that but what I meant by not knowing what "all active implies" is I don't know "everything" being active does imply.

I get that it means it is not currently, at this point in time, under attack. But could that also mean it was under attack in the past, which would imply the vulnerability is known to the bad guys but they just aren't attacking right now - by choice?

Does it mean the vulnerability still exists? Or has it been patched? If not patched, do they expect it to be attacked in the coming days?

By saying "active" attack, it makes me wonder what all "inactive" attack means? Is it like a dormant volcano - as in one that isn't currently active or erupting but the volcanologist say it could tomorrow?

Nitpicking, I suppose. But when it comes to security, details matter. I don't like vagueness when not necessary.
Bill (AFE7Ret)
Freedom is NOT Free!
2007 - 2018