The April 2020 Security Update Review

[Nytro]

The April 2020 Security Update Review

April 14, 2020 | Dustin Childs

 

April is here, and it brings another cornucopia of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for April 2020

For April, Adobe released on three patches addressing five CVEs in Adobe ColdFusion, After Effects, and Digital Editions. All CVEs are rated Important and none are listed as being publicly known or under active attack at the time of release. The update for ColdFusion should be on the top of the deployment list as it includes a local privilege escalation (LPE) to go along with an info disclosure and denial-of-service bug. The update for After Effects, reported by ZDI researchers Mat Powell and Michael DePlante, corrects an info disclosure bug. The patch for Digital Editions also corrects a single information disclosure bug. Although there is no update for Flash this month, the window for the final Flash patches is closing as it goes out of support at the end of this year.

Microsoft Patches for April 2020

For April, Microsoft released patches for 113 CVEs covering Microsoft Windows, Microsoft Edge (EdgeHTML-based and Chromium-based), ChakraCore, Internet Explorer, Office and Office Services and Web Apps, Windows Defender, Visual Studio, Microsoft Dynamics, Microsoft Apps for Android, and Microsoft Apps for Mac. Of these 113 CVEs, 17 are rated Critical and 96 are rated Important in severity. Twelve of these CVEs were reported through the ZDI program. If you feel like there have been a lot of patches this year, you’re not wrong. Microsoft has seen a 44% increase in the number of CVEs patched between January to April of 2020 compared to the same time period in 2019. Both an increasing number of researchers looking for bugs and an expanding portfolio of supported products likely caused this increase. It will be interesting to see if this pace continues, especially considering Microsoft will pause optional Windows 10 updates starting next month.

Three of the bugs addressed this month are listed as being under active attack, and two are listed as being public at the time of release. [NOTE: Microsoft initially listed CVE-2020-0968 a being under active attack. They have since revised this bulletin to note it is not under attack.] Let’s take a closer look at some of the more interesting updates for this month, starting with two of the bugs under active attack.

-       CVE-2020-1020 – Adobe Font Manager Library Remote Code Execution Vulnerability
Initially disclosed back in late March, this bug is one of two reported to be targeting Windows 7 systems. Attackers can use this vulnerability to execute their code on affected systems if they can convince a user to view a specially crafted font. The code would run at the level of the logged-on user. Although the attacks specifically have targeted Windows 7 systems, not all Win7 systems will receive a patch since the OS left support in January of this year. Only those Windows 7 and Server 2008 customers with an ESU license will receive the patch.

-       CVE-2020-0938 – OpenType Font Parsing Remote Code Execution Vulnerability
This bug is associated with the previous vulnerability, although it impacts a different font renderer. It too is listed as being under active attack. Again, an attacker could execute their code on a target system if a user viewed a specially crafted font. We should also note Windows 10 systems are less impacted by these bugs since the code execution would occur in an AppContainer sandbox. Win7 users will also need an ESU license for this patch.

-       CVE-2020-0993 – Windows DNS Denial of Service VulnerabilityThis patch addresses a Denial-of-Service (DoS) bug in the Windows DNS service. Note that’s the DNS service and not the DNS Server, so client systems are also affected by this vulnerability. An attacker could cause the DNS service to be nonresponsive by sending some specially crafted DNS queries to an affected system. Since there is no code execution involved, the only gets rated as Important. However, considering the damage that could be done by an unauthenticated attacker, this should be high on your test and deploy list.

-       CVE-2020-0981 – Windows Token Security Feature Bypass Vulnerability
It’s not often you see a security feature bypass directly result in a sandbox escape, but that’s exactly what this bug allows. The vulnerability results from Windows improperly handling token relationships. Attackers could abuse this to allow an application with a certain integrity level to execute code at a different – presumably higher – integrity level. The result is a sandbox escape. This only affects Windows 10 version 1903 and higher, so the code is a relatively recent addition.

Here’s the full list of CVEs released by Microsoft for April 2020.

CVE	Title	Severity	Public	Exploited	XI - Latest	XI - Older	Type
CVE-2020-1020	Adobe Font Manager Library Remote Code Execution Vulnerability	Important	Yes	Yes	2	0	RCE
CVE-2020-0938	OpenType Font Parsing Remote Code Execution Vulnerability	Important	No	Yes	2	0	RCE
CVE-2020-1027	Windows Kernel Elevation of Privilege Vulnerability	Important	No	Yes	0	1	EoP
CVE-2020-0935	OneDrive for Windows Elevation of Privilege Vulnerability	Important	Yes	No	2	N/A	EoP
CVE-2020-0969	Chakra Scripting Engine Memory Corruption Vulnerability	Critical	No	No	2	N/A	RCE
CVE-2020-1022	Dynamics Business Central Remote Code Execution Vulnerability	Critical	No	No	2	2	RCE
CVE-2020-0948	Media Foundation Memory Corruption Vulnerability	Critical	No	No	2	2	RCE
CVE-2020-0949	Media Foundation Memory Corruption Vulnerability	Critical	No	No	2	2	RCE
CVE-2020-0950	Media Foundation Memory Corruption Vulnerability	Critical	No	No	2	2	RCE
CVE-2020-0907	Microsoft Graphics Components Remote Code Execution Vulnerability	Critical	No	No	2	2	RCE
CVE-2020-0687	Microsoft Graphics Remote Code Execution Vulnerability	Critical	No	No	2	2	RCE
CVE-2020-0927	Microsoft Office SharePoint XSS Vulnerability	Critical	No	No	2	2	XSS
CVE-2020-0929	Microsoft SharePoint Remote Code Execution Vulnerability	Critical	No	No	2	2	RCE
CVE-2020-0931	Microsoft SharePoint Remote Code Execution Vulnerability	Critical	No	No	2	2	RCE
CVE-2020-0932	Microsoft SharePoint Remote Code Execution Vulnerability	Critical	No	No	2	2	RCE
CVE-2020-0974	Microsoft SharePoint Remote Code Execution Vulnerability	Critical	No	No	2	2	RCE
CVE-2020-0965	Microsoft Windows Codecs Library Remote Code Execution Vulnerability	Critical	No	No	2	2	RCE
CVE-2020-0970	Scripting Engine Memory Corruption Vulnerability	Critical	No	No	2	N/A	RCE
CVE-2020-0968	Scripting Engine Memory Corruption Vulnerability	Critical	No	No	1	1	RCE
CVE-2020-0967	VBScript Remote Code Execution Vulnerability	Critical	No	No	2	2	RCE
CVE-2020-0910	Windows Hyper-V Remote Code Execution Vulnerability	Critical	No	No	2	2	RCE
CVE-2020-0942	Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP
CVE-2020-0944	Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP
CVE-2020-1029	Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP
CVE-2020-0784	DirectX Elevation of Privilege Vulnerability	Important	No	No	1	1	EoP
CVE-2020-0888	DirectX Elevation of Privilege Vulnerability	Important	No	No	2	1	EoP
CVE-2020-0964	GDI+ Remote Code Execution Vulnerability	Important	No	No	2	2	RCE
CVE-2020-0889	Jet Database Engine Remote Code Execution Vulnerability	Important	No	No	2	2	RCE
CVE-2020-0953	Jet Database Engine Remote Code Execution Vulnerability	Important	No	No	2	2	RCE
CVE-2020-0959	Jet Database Engine Remote Code Execution Vulnerability	Important	No	No	2	2	RCE
CVE-2020-0960	Jet Database Engine Remote Code Execution Vulnerability	Important	No	No	2	2	RCE
CVE-2020-0988	Jet Database Engine Remote Code Execution Vulnerability	Important	No	No	2	2	RCE
CVE-2020-0992	Jet Database Engine Remote Code Execution Vulnerability	Important	No	No	2	2	RCE
CVE-2020-0994	Jet Database Engine Remote Code Execution Vulnerability	Important	No	No	2	2	RCE
CVE-2020-0995	Jet Database Engine Remote Code Execution Vulnerability	Important	No	No	2	2	RCE
CVE-2020-0999	Jet Database Engine Remote Code Execution Vulnerability	Important	No	No	2	2	RCE
CVE-2020-1008	Jet Database Engine Remote Code Execution Vulnerability	Important	No	No	2	2	RCE
CVE-2020-0937	Media Foundation Information Disclosure Vulnerability	Important	No	No	2	2	Info
CVE-2020-0939	Media Foundation Information Disclosure Vulnerability	Important	No	No	2	2	Info
CVE-2020-0945	Media Foundation Information Disclosure Vulnerability	Important	No	No	2	2	Info
CVE-2020-0946	Media Foundation Information Disclosure Vulnerability	Important	No	No	2	2	Info
CVE-2020-0947	Media Foundation Information Disclosure Vulnerability	Important	No	No	2	2	Info
CVE-2020-0984	Microsoft (MAU) Office Elevation of Privilege Vulnerability	Important	No	No	2	N/A	EoP
CVE-2020-1002	Microsoft Defender Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP
CVE-2020-1049	Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability	Important	No	No	2	2	XSS
CVE-2020-1050	Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability	Important	No	No	2	2	XSS
CVE-2020-1018	Microsoft Dynamics Business Central/NAV Information Disclosure	Important	No	No	2	2	Info
CVE-2020-0906	Microsoft Excel Remote Code Execution Vulnerability	Important	No	No	2	2	RCE
CVE-2020-0979	Microsoft Excel Remote Code Execution Vulnerability	Important	No	No	N/A	2	RCE
CVE-2020-0982	Microsoft Graphics Component Information Disclosure Vulnerability	Important	No	No	2	2	Info
CVE-2020-0987	Microsoft Graphics Component Information Disclosure Vulnerability	Important	No	No	2	2	Info
CVE-2020-1005	Microsoft Graphics Component Information Disclosure Vulnerability	Important	No	No	2	2	Info
CVE-2020-0961	Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability	Important	No	No	2	2	RCE
CVE-2020-0760	Microsoft Office Remote Code Execution Vulnerability	Important	No	No	2	2	RCE
CVE-2020-0991	Microsoft Office Remote Code Execution Vulnerability	Important	No	No	2	2	RCE
CVE-2020-0923	Microsoft Office SharePoint XSS Vulnerability	Important	No	No	2	2	XSS
CVE-2020-0924	Microsoft Office SharePoint XSS Vulnerability	Important	No	No	2	2	XSS
CVE-2020-0925	Microsoft Office SharePoint XSS Vulnerability	Important	No	No	2	2	XSS
CVE-2020-0926	Microsoft Office SharePoint XSS Vulnerability	Important	No	No	2	2	XSS
CVE-2020-0930	Microsoft Office SharePoint XSS Vulnerability	Important	No	No	2	2	XSS
CVE-2020-0933	Microsoft Office SharePoint XSS Vulnerability	Important	No	No	2	2	XSS
CVE-2020-0954	Microsoft Office SharePoint XSS Vulnerability	Important	No	No	2	2	XSS
CVE-2020-0973	Microsoft Office SharePoint XSS Vulnerability	Important	No	No	2	2	XSS
CVE-2020-0978	Microsoft Office SharePoint XSS Vulnerability	Important	No	No	2	2	XSS
CVE-2020-0919	Microsoft Remote Desktop App for Mac Elevation of Privilege Vulnerability	Important	No	No	2	N/A	EoP
CVE-2020-1019	Microsoft RMS Sharing App for Mac Elevation of Privilege Vulnerability	Important	No	No	2	N/A	EoP
CVE-2020-0920	Microsoft SharePoint Remote Code Execution Vulnerability	Important	No	No	2	2	RCE
CVE-2020-0971	Microsoft SharePoint Remote Code Execution Vulnerability	Important	No	No	2	2	RCE
CVE-2020-0972	Microsoft SharePoint Spoofing Vulnerability	Important	No	No	2	2	Spoof
CVE-2020-0975	Microsoft SharePoint Spoofing Vulnerability	Important	No	No	2	2	Spoof
CVE-2020-0976	Microsoft SharePoint Spoofing Vulnerability	Important	No	No	N/A	2	Spoof
CVE-2020-0977	Microsoft SharePoint Spoofing Vulnerability	Important	No	No	2	2	Spoof
CVE-2020-0899	Microsoft Visual Studio Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP
CVE-2020-1014	Microsoft Windows Update Client Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP
CVE-2020-0980	Microsoft Word Remote Code Execution Vulnerability	Important	No	No	2	2	RCE
CVE-2020-0943	Microsoft YourPhone Application for Android Authentication Bypass Vulnerability	Important	No	No	2	N/A	EoP
CVE-2020-1026	MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability	Important	No	No	2	N/A	SFB
CVE-2020-0966	VBScript Remote Code Execution Vulnerability	Important	No	No	2	2	RCE
CVE-2020-0900	Visual Studio Extension Installer Service Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP
CVE-2020-0956	Win32k Elevation of Privilege Vulnerability	Important	No	No	1	1	EoP
CVE-2020-0957	Win32k Elevation of Privilege Vulnerability	Important	No	No	N/A	1	EoP
CVE-2020-0958	Win32k Elevation of Privilege Vulnerability	Important	No	No	1	1	EoP
CVE-2020-0699	Win32k Information Disclosure Vulnerability	Important	No	No	2	2	Info
CVE-2020-0962	Win32k Information Disclosure Vulnerability	Important	No	No	2	2	Info
CVE-2020-0835	Windows Defender Antimalware Platform Hard Link Elevation of Privilege Vulnerability	Important	No	No	2	N/A	EoP
CVE-2020-0794	Windows Denial of Service Vulnerability	Important	No	No	2	2	DoS
CVE-2020-0993	Windows DNS Denial of Service Vulnerability	Important	No	No	2	2	DoS
CVE-2020-0934	Windows Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP
CVE-2020-0983	Windows Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP
CVE-2020-1009	Windows Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP
CVE-2020-1011	Windows Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP
CVE-2020-1015	Windows Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP
CVE-2020-0952	Windows GDI Information Disclosure Vulnerability	Important	No	No	2	2	Info
CVE-2020-1004	Windows Graphics Component Elevation of Privilege Vulnerability	Important	No	No	1	1	EoP
CVE-2020-0917	Windows Hyper-V Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP
CVE-2020-0918	Windows Hyper-V Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP
CVE-2020-0913	Windows Kernel Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP
CVE-2020-1000	Windows Kernel Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP
CVE-2020-1003	Windows Kernel Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP
CVE-2020-0955	Windows Kernel Information Disclosure in CPU Memory Access	Important	No	No	2	2	Info
CVE-2020-0821	Windows Kernel Information Disclosure Vulnerability	Important	No	No	2	2	Info
CVE-2020-1007	Windows Kernel Information Disclosure Vulnerability	Important	No	No	2	2	Info
CVE-2020-0940	Windows Push Notification Service Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP
CVE-2020-1001	Windows Push Notification Service Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP
CVE-2020-1006	Windows Push Notification Service Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP
CVE-2020-1017	Windows Push Notification Service Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP
CVE-2020-1016	Windows Push Notification Service Information Disclosure Vulnerability	Important	No	No	2	2	Info
CVE-2020-0936	Windows Scheduled Task Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP
CVE-2020-0981	Windows Token Security Feature Bypass Vulnerability	Important	No	No	2	2	SFB
CVE-2020-0985	Windows Update Stack Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP
CVE-2020-0996	Windows Update Stack Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP
CVE-2020-0895	Windows VBScript Engine Remote Code Execution Vulnerability	Important	No	No	2	2	EoP
CVE-2020-1094	Windows Work Folder Service Elevation of Privilege Vulnerability	Important	No	No	2	2	EoP

 

Of the remaining Critical-rated patches, most are related to web browsers or some form of browse-and-own scenario. CVE-2020-0968 is listed as being under active attack, although the Exploit Index rating contradicts that notion. Hopefully, this will get clarified in an upcoming revision. [NOTE: Microsoft has revised the bulletin to remove the active attack designation.] The patches for Media Foundation Server fall into this category as well. Hyper-V also receives a Critical-rated patch for a Guest-to-Host escape. That would have been nice to see during the last Pwn2Own, where it could have won $250,000. Maybe next year. There are a couple of Critical-rated SharePoint bugs fixed this month, including some reported through the ZDI program. We’ll be blogging about the details of these bugs in the coming weeks. Stay tuned.

Beyond the code execution bugs, there’s also a cross-site scripting (XSS) bug in SharePoint that stands out. There are 10 SharePoint XSS bugs patched in this release, but only one (CVE-2020-0927) receives a Critical rating. Considering the write-ups for all are identical, it’s not clear why this patch rated higher than the others.

 

Looking at the Important-rated patches, there’s a total of 39 that address some form of Elevation of Privilege (EoP). One of the kernel EoP bugs, CVE-2020-1027, is listed as being under active attack, but only on newer systems. One of these patches represents the other publicly known bug. CVE-2020-0935 fixes a bug in OneDrive that could allow an EoP through symbolic links. Most people won’t need to take any action here as OneDrive has its own updater that periodically checks the OneDrive binary. However, those who are on air-gapped or otherwise restricted networks will need to manually update with the provided binary.

Two of the EoP patches impact products rarely seen on Patch Tuesday. The first is a patch for the Microsoft YourPhoneCompanion application for Android. This bug could allow an attacker to read your notifications if they have your device. The second is a patch for the RMS Sharing App for Mac. This one could allow authenticated attackers to load unsigned binaries. The remaining EoP bugs affect a wide array of Windows components, but in almost every case, an attacker would need to log on to an affected system then run a specially crafted application.

There are fixes for 16 information disclosure bugs this month. The other most notable addresses a bug in Microsoft Dynamics Business Central. Most info disclosure bugs leak uninitialized memory and must be combined with something else to gain code execution. For this bug (CVE-2020-1018), the vulnerability allows attackers to see information found in an otherwise masked field. Consequently, you could be exposing passwords with this bug.

 

Beyond the previously mentioned XSS bugs in SharePoint, there are also four Spoofing bugs in SharePoint receiving patches in April. These are very similar to the XSS bugs. In both cases, the vulnerabilities get fixed by properly sanitizing web requests.

There’s another security feature bypass being fixed, this one in the MSR JavaScript Cryptography Library. A bug in the library’s Elliptic Curve Cryptography (ECC) implementation could allow an attacker to learn information about a server’s private ECC key resulting in a key leakage attack. They could also craft an invalid ECDSA signature that still passes as valid.

The release is rounded out by a patch for a DoS bug in Windows that would allow a logged-on user to run a specially crafted application and cause the system to stop responding. This isn’t much of a concern unless multiple users are using the same system at the same time. In that scenario, one attacker could DoS everyone else using the system.

There are no new advisories for this month. There is an update to the Windows Servicing Stack, which adds updates for both client and server OS platforms this month.

Looking Ahead

The next Patch Tuesday falls on May 12, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!

 

Sursa: https://www.zerodayinitiative.com/blog/2020/4/14/the-april-2020-security-update-review