Stuck at home? Need something to keep busy with? Microsoft has 115 ideas – including an awful SMBv3 security hole to worry about

Updated Microsoft has emitted more than 100 fixes in its March batch of security updates.

The Patch Tuesday release includes 115-CVE listed flaws, including 26 classified as critical security risks. None of the flaws have previously been disclosed or exploited in the wild.

One particularly nasty remote-code execution hole revealed this week lies within SMBv3. "An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client," says Microsoft. There is no patch available for this right now other than to disable SMBv3 compression for servers. There is no workaround nor patch for clients right now.

Microsoft is aware of a RCE vulnerability in the way that the SMBv3 protocol handles certain requests. If you wish to be notified when updates for this vulnerability are available, please follow the guidance in the advisory linked here: https://t.co/x5Z658xQ6t

— Security Response (@msftsecresponse) March 10, 2020

Among the other critical alerts, for which patches are actually available, is CVE-2020-0852, a remote code execution flaw in Word.

As Dustin Childs of the Zero Day Initiative notes, such high-risk flaws are rare for Office apps like Word that are typically shielded from remote code risks because they do not automatically load documents.

"Most code execution bugs in Office products require a user to open a specially crafted file and are thus Important in severity. This Critical-rated Word bug requires no such user interaction," explained Childs.

"Instead, simply viewing a specially crafted file in the Preview Pane could allow code execution at the level of the logged-on user."

Four other remote code execution flaws were also patched in Word this month, though none are considered as severe as CVE-2020-0852. Also raising eyebrows was CVE-2020-0905, a flaw that allows for the injection of shell commands in Dynamics Business Central.

"Exploitation of this Critical-rated bug won’t be straightforward, as an authenticated attacker would need to convince the target into connecting to a malicious Dynamics Business Central client or elevate permission to System to perform the code execution," notes Childs.

"Still, considering the target is likely a mission-critical server, you should test and deploy this patch quickly."

As is often the case, Microsoft's browsers accounted for the vast majority of this month's critical updates. Remote code flaws in the scripting engine, VBscript, Media Foundation, and Edge/IE themselves added up to 19 critical flaws.

The Graphics Device Interface (GDI) was patched for two bugs (CVE-2020-0881, CVE-2020-0883), both allowing for remote code execution.

Azure DevOps was on the receiving end of three patches, two for elevation of privilege bugs (CVE-2020-0758, CVE-2020-0815) and one cross-site-scripting flaw (CVE-2020-0700).

Microsoft Defender had two elevation of privilege vulnerabilities (CVE-2020-0762, CVE-2020-0763) while SharePoint was patched for four cross-site scripting flaws (CVE-2020-0893, CVE-2020-0894, CVE-2020-0795, CVE-2020-0891.)

SAP warns of major flaws

Enterprise giant SAP has dropped a number of fixes for high-severity issues, with four bulletins for flaws with CVSS ratings of 9 or higher.

Among those are two missing authentication checks in Solution Manager, a path manipulation vulnerability in NetWeaver, and an update for Chromium browser components in Business Client.

Also patched was a remote code execution flaw in Business Objects, a missing authorization check in Disclosure Management, denial of service in BusinessObjects Mobile, and a SQL injection flaw in SAP Max.

All quiet from Adobe

One name notably absent this month is Adobe. It seems Flash, Reader, Acrobat, Creative Cloud, and the other offerings from the multimedia giant are all free of major security flaws this month, though we may very well see patches posted later this month. ®

Updated to add

A patch for the SMBv3 hole is now available.