It’s one of the largest Patch Tuesday updates ever issued by Microsoft, and includes fixes for 12 security vulnerabilities that have been given the highest severity rating of “critical.”
Amid the updates from Microsoft is a patch for a zero-day flaw in Internet Explorer that has been actively exploited in targeted attacks.
At the time Microsoft described a “workaround” for CVE-2020-0674 that concerned users could implement while they waited for the all-important proper patch to be produced, but it later turned out that workaround was umm.. sub-optimal, as users began to see errors when they tried to print documents.
Some users believed they might be immune from the threat, as Edge has replaced Internet Explorer in the most recent versions of Windows. However, even if you don’t use Internet Explorer you can still be at risk through the way Windows handles embedded objects in Office documents.
Another critical bug addressed in the latest Microsoft update is a remote code execution vulnerability in the way Windows handles .LNK shortcut files. A similar bug was exploited by the infamous Stuxnet worm to infect the Natanz nuclear facility in Iran.
With the latest .LNK vulnerability (known as CVE-2020-0729) a hacker could trick a target into running malware by having them insert into a PC a USB drive containing a boobytrapped .LNK file.
In the past such a method has been used to infect computers that are air-gapped from other networks and the internet.
These and other vulnerabilities are clearly very important to patch, and IT teams should waste no time in readying themselves for a roll-out across the computers that they administer.
As ever, the possibility does exist that Microsoft’s patches may not be perfect. In some cases, unfortunately, a security patch might cause incompatibilities and more problems than the issue it is trying to fix.
Because of this always ensure that you have secure, reliable backups in place before patching – just in case you need to roll back. In corporate environments it may also make sense to test the update on a small number of computers before pushing it out to every single Windows PC in the company.
But don’t use this as an excuse not to patch at all. The clock is ticking.
In some cases these vulnerabilities are already been exploited by malicious hackers. In the cases of other security flaws it may just be a matter of hours or days before criminals find a way to exploit them too.