Patch now! Microsoft releases fixes for 99 security flaws, some being actively exploited by hackers

Graham Cluley @gcluley

Patch now! Microsoft releases patches for 99 security flaws, some being actively exploited by hackers
It’s one of the largest Patch Tuesday updates ever issued by Microsoft, and includes fixes for 12 security vulnerabilities that have been given the highest severity rating of “critical.”

Amid the updates from Microsoft is a patch for a zero-day flaw in Internet Explorer that has been actively exploited in targeted attacks.

In January, Microsoft warned that the vulnerability (known technically as CVE-2020-0674) was being actively exploited in targeted attacks against organisations.

At the time Microsoft described a “workaround” for CVE-2020-0674 that concerned users could implement while they waited for the all-important proper patch to be produced, but it later turned out that workaround was umm.. sub-optimal, as users began to see errors when they tried to print documents.

Some users believed they might be immune from the threat, as Edge has replaced Internet Explorer in the most recent versions of Windows. However, even if you don’t use Internet Explorer you can still be at risk through the way Windows handles embedded objects in Office documents.

Another critical bug addressed in the latest Microsoft update is a remote code execution vulnerability in the way Windows handles .LNK shortcut files. A similar bug was exploited by the infamous Stuxnet worm to infect the Natanz nuclear facility in Iran.

With the latest .LNK vulnerability (known as CVE-2020-0729) a hacker could trick a target into running malware by having them insert into a PC a USB drive containing a boobytrapped .LNK file.

In the past such a method has been used to infect computers that are air-gapped from other networks and the internet.

These and other vulnerabilities are clearly very important to patch, and IT teams should waste no time in readying themselves for a roll-out across the computers that they administer.

As ever, the possibility does exist that Microsoft’s patches may not be perfect. In some cases, unfortunately, a security patch might cause incompatibilities and more problems than the issue it is trying to fix.

Because of this always ensure that you have secure, reliable backups in place before patching – just in case you need to roll back. In corporate environments it may also make sense to test the update on a small number of computers before pushing it out to every single Windows PC in the company.

But don’t use this as an excuse not to patch at all. The clock is ticking.

In some cases these vulnerabilities are already been exploited by malicious hackers. In the cases of other security flaws it may just be a matter of hours or days before criminals find a way to exploit them too.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One Reply to “Patch now! Microsoft releases fixes for 99 security flaws, some being actively exploited by hackers”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.