← Back to all briefings
Infrastructure 5 min read Published Updated Credibility 73/100

Microsoft March 2020 Patch Tuesday fixes 115 vulnerabilities

March 2020 Patch Tuesday addressed 115 CVEs across Windows, Office, Edge, and Exchange, including critical remote code execution bugs in font, scripting, and SMB components.

Kodi C.

Editor & Research Lead

Fact-checked and reviewed — Kodi C.

Infrastructure pillar illustration for Zeph Tech briefings
Infrastructure supply chain and reliability briefings

On , Microsoft released the largest Patch Tuesday in recent history, addressing 115 CVEs across Windows client and server, Office productivity suite, Edge/Internet Explorer browsers, Exchange Server, and development tools. Twenty-six vulnerabilities received Critical severity ratings, including remote code execution flaws in font parsing (CVE-2020-0852), scripting engines (CVE-2020-0847), and SMB components that would later gain notoriety as "SMBGhost."

Critical Vulnerability Analysis

The March 2020 release addressed an unusually high proportion of critical vulnerabilities requiring immediate attention. Font parsing vulnerabilities in Windows Adobe Type Manager Library (atmfd.dll) could enable remote code execution when users preview malicious documents in Windows Explorer or open crafted documents. These bugs affected font handling at the kernel level, providing attackers potential for privileged code execution.

Scripting engine vulnerabilities in ChakraCore (Microsoft Edge legacy) and JScript continued a pattern of memory corruption issues in JavaScript engines. Attackers could exploit these through malicious web pages, requiring only that victims navigate to attacker-controlled sites. Browser-based exploitation chains remain popular due to broad attack surface and difficulty blocking JavaScript execution entirely.

The SMB vulnerabilities addressed in this release included CVE-2020-0796, a compression-related flaw in SMBv3.1.1 that Microsoft would highlight in an out-of-band advisory. This "wormable" vulnerability could enable remote code execution without authentication, creating concerns about rapid propagation similar to WannaCry and NotPetya.

Windows Server Patching Priorities

Server administrators face particular pressure from this bulletin given critical vulnerabilities in server-facing components. Domain controllers require patches for privilege escalation vulnerabilities in Active Directory. Exchange Server administrators must address remote code execution bugs in Outlook Web Access components.

SMB vulnerabilities demand attention on file servers and any systems exposing SMB to networks. While most organizations block SMB at network perimeters following EternalBlue lessons, internal propagation remains possible if wormable exploits emerge. Server Message Block (SMB) signing and encryption provide defense-in-depth but do not eliminate vulnerability to compression bugs.

IIS web servers require updates for HTTP request handling vulnerabilities. Organizations running. NET Framework applications need both OS patches and. NET cumulative updates. SharePoint deployments face particular exposure given multiple critical CVEs affecting both on-premises SharePoint Server and SharePoint Foundation.

Workstation Deployment Considerations

Windows 10 workstations require cumulative updates addressing the full vulnerability set. If you are affected, focus on deployments to systems handling sensitive data, those with browser-based workflows, and devices used by high-value targets like executives and system administrators.

Legacy Windows versions remaining in production face ongoing security challenges. Windows 7 and Server 2008 R2 reached end of extended support in January 2020, meaning only organizations with Extended Security Update (ESU) agreements receive patches. ESU customers must install both the ESU servicing stack and monthly rollups in correct sequence.

Office vulnerability remediation requires corresponding Office updates beyond Windows patches. Organizations using Click-to-Run Office deployments receive updates through Office CDN, while MSI-based installations require separate Office cumulative updates. Coordinating Windows and Office patching avoids leaving partial exposure.

Exchange Server Security Updates

Exchange administrators face critical patches addressing remote code execution vulnerabilities in Outlook Web Access (OWA) and Exchange Web Services (EWS). These components handle internet-facing traffic, making them attractive attack targets. Successful exploitation could enable attackers to compromise mail servers and access organizational communications.

Exchange cumulative updates require careful planning due to service disruption and database schema changes. Database availability groups (DAGs) support rolling updates with maintained availability, but single-server deployments require scheduled downtime. Testing in non-production environments should validate update installation, service recovery, and client connectivity.

Organizations running Exchange hybrid configurations must coordinate on-premises patching with Exchange Online coexistence requirements. Authentication and mail flow between environments can break if version mismatches exist. Review Microsoft's supportability matrix before updating Exchange servers in hybrid deployments.

Testing and Deployment Strategy

Given the bulletin's scope, you should adopt phased deployment approaches rather than immediate production rollout. Initial testing should validate application compatibility, particularly for line-of-business applications with printer drivers, font rendering, or Office integration dependencies.

Antivirus and endpoint protection compatibility deserves specific attention. Security software often hooks deeply into Windows components affected by this bulletin. Verify EDR and AV vendor compatibility statements before deployment, and monitor for detection gaps or system stability issues after patching.

WSUS and SCCM administrators should review the supersedence chain for cumulative updates and ensure deployment packages include prerequisite servicing stack updates. Windows 10 feature version differences affect applicable updates—organizations maintaining multiple feature versions need version-specific testing.

Monitoring and Threat Intelligence

Post-deployment monitoring should watch for exploitation attempts against newly disclosed vulnerabilities. Your security team should update detection rules for CVEs addressed in this bulletin, particularly those with public proof-of-concept code. Threat intelligence feeds typically release exploitation indicators within days of Patch Tuesday.

The SMB vulnerabilities warrant particular monitoring given historical precedent with EternalBlue. Network detection for SMB exploitation attempts, anomalous SMB traffic patterns, and lateral movement indicators provides early warning of active attacks. Consider temporarily disabling SMBv3 compression if patching delays are unavoidable.

Vulnerability scanning should validate patch deployment completeness. Large environments inevitably have systems that fail to receive updates due to network issues, policy conflicts, or administrative oversights. Regular scanning identifies gaps before attackers discover them.

Compliance Documentation

Organizations subject to regulatory requirements should document patch deployment timelines and any risk acceptance decisions for delayed patching. PCI DSS requires installation of critical security patches within one month. HIPAA covered entities must address vulnerabilities in systems handling protected health information. FedRAMP continuous monitoring requires vulnerability remediation within defined timeframes based on severity.

Audit evidence should include deployment schedules, completion percentages, exception documentation, and compensating controls for systems where immediate patching is not feasible. Patch management metrics show due diligence and support compliance attestations.

More on this topic

Further reading from our research library.

Continue in the Infrastructure pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Telecom Modernization Infrastructure Guide

    Modernise telecom infrastructure using 3GPP Release 18 roadmaps, O-RAN Alliance specifications, and ITU broadband benchmarks curated here.

  • Infrastructure Resilience Guide

    Coordinate capacity planning, supply chain, and reliability operations using DOE grid programmes, Uptime Institute benchmarks, and NERC reliability mandates covered here.

  • Edge Resilience Infrastructure Guide

    Engineer resilient edge estates using ETSI MEC standards, DOE grid assessments, and GSMA availability benchmarks documented here.

Coverage intelligence

Published
Coverage pillar
Infrastructure
Source credibility
73/100 — medium confidence
Topics
Patch Tuesday · Windows Security · SMB
Sources cited
3 sources (msrc.microsoft.com, iso.org)
Reading time
5 min

Source material

  1. March 2020 Security Updates — Microsoft
  2. Microsoft Security Response Center — Microsoft
  3. ISO/IEC 27017:2015 — Cloud Service Security Controls — International Organization for Standardization
  • Patch Tuesday
  • Windows Security
  • SMB
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.