Microsoft leaves critical bug unpatched on Patch Tuesday
Microsoft fixed bugs across a range of products on March’s Patch Tuesday, releasing patches for 115 distinct CVEs, with 26 rated critical.
All of the critical bugs related to remote code execution (RCE), and all of them stemmed from flaws in memory management.
The critical bug that cropped up in the most CVEs was in ChakraCore, the scripting engine that handles just-in-time compilation for its browsers. It’s a bug in the scripting engine’s object memory management that could corrupt memory to let an attacker execute their own code on the user’s behalf.
An attacker might exploit this bug by persuading the victim to visit a website, which could be a third-party site containing user-generated content like a blog comment or forum post. The attacker could also send them an ActiveX control in an Office document that uses the scripting engine. These bugs affected ChakraCore across 12 CVEs, which between them impacted Microsoft Edge and IE 11.
Microsoft detailed a similar object memory handling bug in Edge itself (CVE-2020-0816), along with four other similar CVEs in various areas of Internet Explorer 11 that included a bug in its VBScript engine.