Yesterday was the second Tuesday of February, or as it's often referred to in tech circles, Patch Tuesday. Microsoft doles out a cumulative security update every second Tuesday of the month, and today's is one of the biggest ever, if not the largest, with nearly 100 individual patches.
There are 99 in all, though if you want to count a handful of Windows 7 patches that are only available to businesses paying for extended support, the total number jumps past 100. Either way, this a comparatively massive roll out (I'm not aware of there ever being this many before).
With so many fixes inbound, it's a good idea to update sooner than later. That's assuming there are no major issues caused by the update, rather than solved—I've not seen anything yet, but it's also early. I applied it to my daily driver, a Windows 10 PC with a pair of SATA-SSDs in RAID 0 (yes, I'm reckless), and from start to finish (including a reboot) it took under a minute.
Not all of the patches are applicable to Windows 10, though many of them are. One of the more notable fixes is CVE-2020-0674 (opens in new tab), which addresses a zero-day vulnerability in Internet Explorer. Left unpatched, visiting a compromised website with IE could result in an attacker being able to take full control of a target system. According to Trend Micro, this security flaw can also be exploited outside of IE.
"Even if you don’t use IE, you could still be affected by this bug though embedded objects in Office documents. Considering the listed workaround—disabling jscript.dll—breaks a fair amount of functionality, you should prioritize the testing and deployment of this patch," Trend Micro says.
Out of the 99 vulnerabilities addressed with the latest update, a dozen are rated as Critical. One them applies to Microsoft's Secure Boot security feature designed to prevent malware from loading during start-up.
"This security feature bypass bug could allow attackers to circumvent the Secure Boot feature and load untrusted software on an affected system. This is one of the publicly known bugs being patched this month. While this is certainly a bug to scrutinize, it’s compounded by a non-standard patching process. This month’s servicing stack must first be applied, then additional standalone security updates need to be installed. If you have the Windows Defender Credential Guard (Virtual Secure Mode) enabled, you’ll need to go through two additional reboots as well. All this is needed to block impacted third-party bootloaders," Trend Micro notes.
The other thing of note is a round of patches for Microsoft's retooled Edge browser, which is now powered by Chromium (the same engine powering Google's own Chrome browser). Microsoft dished up its first round of updates for Edge since its public release last month, with fixes for 41 vulnerabilities. According to ThreatPost, these are technically not part of Patch Tuesday. They're out at the same time, though, so we're really looking at 140 patches this week.