The January 2020 Security Update Review
January 14, 2020 | Dustin ChildsWelcome to the new year, and welcome to the first Patch Tuesday of 2020. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.
Adobe Patches for January 2020
Adobe begins the year with only two patches addressing a total of nine CVEs. The update for Illustrator CC fixes five Critical-rated CVEs. All of these bugs could allow code execution if a user opened a specially crafted file. The update for Experience Manager fixes three Important and one Moderate-rated information disclosure bugs. None of these vulnerabilities are listed as publicly known or under active attack at the time of release.
Citrix Patches for January 2020
We don’t normally discuss Citrix patches on this blog, but a recent bug (CVE-2019-19781) has been described as “one of the most dangerous bugs disclosed in recent years,” and a proof-of-concept exploit has been made public. What’s worse is that patches are not available yet but are scheduled for later this month. If you use Citrix, you should follow the mitigations posted here and look to apply patches as soon as they become available.
Microsoft Patches for January 2020
Before we get into this month’s patches, I briefly wanted to remind everyone that support for Windows 7 ends today. While Microsoft won’t necessarily be producing new patches for the venerable OS, attackers will certainly continue to produce new exploits. You should definitely be working on your migration strategy to a supported platform.
For January, Microsoft released patches for 49 CVEs covering Microsoft Windows, Internet Explorer (IE), Office and Office Services and Web Apps, ASP.NET, .NET Core, .NET Framework, Modern Apps, and Microsoft Dynamics. Five of these CVEs were submitted through the ZDI program. Of these 49 CVEs, eight are listed as Critical and 41 are listed as Important in severity. According to Microsoft, none of these are publicly known or under active attack at the time of release. However, there have been some reports of an IE bug being actively exploited. It does not appear that bug is addressed by any of these patches.
Let’s take a closer look at some of the more interesting updates for this month, starting with a crypto-related bug that has the rumor mill swirling:
- CVE-2020-0601 – Windows CryptoAPI Spoofing Vulnerability
While only listed as Important in severity, this spoofing bug could have a wide-reaching impact and should be on the top of everyone’s list. This vulnerability could allow an attacker to create a code-signing certificate to sign a malicious executable, making it appear as though the file was from a trusted, legitimate source. It’s not hard to imagine how attackers could employ this tactic. For example, ransomware or other spyware is much easier to install when it appears to have a valid certificate. The patch also creates a new entry in the Windows event logs if someone attempts to use a forged certificate against a patched (and rebooted) system. This is significant and will help admins determine if they have been targeted. In the write-up, Microsoft credits the National Security Agency (NSA) for reporting this bug, which should heighten the sense of urgency in getting this patch tested and deployed.
- CVE-2020-0609 – Windows RDP Gateway Server Remote Code Execution Vulnerability
I could just as easily listed CVE-2020-0610 here, as the write up from Microsoft is identical for both bugs. An attacker who exploited either of these bugs could get code execution on affected RDP Gateway Servers. This code execution occurs at the level of the server and is pre-auth and without user interaction. That means these bugs are wormable – at least between RDP Gateway Servers. While not as widespread as systems affected by Bluekeep, it certainly presents an attractive target for attackers.
- CVE-2020-0611 – Remote Desktop Client Remote Code Execution Vulnerability
While not quite as severe as the previously mentioned RDP bugs, this client-side vulnerability deserves some attention. An attacker could take over an affected system if they can convince a user to connect to a malicious RDP server. Because of that requirement, this may not seem as critical. However, combine this client-side bug with two server-side bugs released in this same month, and an entire exploit chain becomes clear.
Here’s the full list of CVEs released by Microsoft for January 2020:
CVE | Title | Severity | Public | Exploited | XI - Latest | XI - Older | Type |
CVE-2020-0603 | ASP.NET Core Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0605 | .NET Framework Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0606 | .NET Framework Remote Code Execution Injection Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0609 | Windows RDP Gateway Server Remote Code Execution Vulnerability | Critical | No | No | N/A | 1 | RCE |
CVE-2020-0610 | Windows RDP Gateway Server Remote Code Execution Vulnerability | Critical | No | No | N/A | 1 | RCE |
CVE-2020-0611 | Remote Desktop Client Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0640 | Internet Explorer Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0646 | .NET Framework Remote Code Execution Injection Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0601 | Windows CryptoAPI Spoofing Vulnerability | Important | No | No | 1 | 1 | Spoof |
CVE-2020-0602 | ASP.NET Core Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2020-0607 | Microsoft Graphics Components Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0608 | Win32k Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0612 | Windows Remote Desktop Protocol (RDP) Gateway Server Denial of Service Vulnerability | Important | No | No | N/A | 2 | DoS |
CVE-2020-0613 | Windows Search Indexer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0614 | Windows Search Indexer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0615 | Windows Common Log File System Driver Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0616 | Microsoft Windows Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2020-0617 | Hyper-V Denial of Service Vulnerability | Important | No | No | N/A | 2 | DoS |
CVE-2020-0620 | Microsoft Cryptographic Services Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0621 | Windows Security Feature Bypass Vulnerability | Important | No | No | N/A | 2 | SFB |
CVE-2020-0622 | Microsoft Graphics Component Information Disclosure Vulnerability | Important | No | No | N/A | 2 | Info |
CVE-2020-0623 | Windows Search Indexer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0624 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0625 | Windows Search Indexer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0626 | Windows Search Indexer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0627 | Windows Search Indexer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0628 | Windows Search Indexer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0629 | Windows Search Indexer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0630 | Windows Search Indexer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0631 | Windows Search Indexer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0632 | Windows Search Indexer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0633 | Windows Search Indexer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0634 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2020-0635 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0636 | Windows Subsystem for Linux Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0637 | Remote Desktop Web Access Information Disclosure Vulnerability | Important | No | No | N/A | 2 | Info |
CVE-2020-0638 | Update Notification Manager Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0639 | Windows Common Log File System Driver Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0641 | Microsoft Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0642 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0643 | Windows GDI+ Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0644 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0647 | Microsoft Office Online Spoofing Vulnerability | Important | No | No | 2 | N/A | Spoof |
CVE-2020-0650 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0651 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0652 | Microsoft Office Memory Corruption Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0653 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | N/A | 2 | RCE |
CVE-2020-0654 | Microsoft OneDrive for Android Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 | SFB |
CVE-2020-0656 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability | Important | No | No | 2 | 2 | XSS |
Of the remaining Critical-rated patches, one is for IE, but again, this is not listed as publicly known or under active attack. There are also three Critical patches for .NET Framework and one for ASP.NET. Most of these require a user open a specially crafted file on an affected system. However, in CVE-2020-0646, an attacker could pass specific input to an application utilizing susceptible .NET methods to gain code execution. The code execution would occur at the level of the logged-on user, which brings us to another time to remind you not to log on with admin privileges to do your day-to-day work.
Looking at the Important-rated updates, the 12 updates for the Windows Search Indexer immediately stand out. The write-ups for these dozen bugs are all identical, and they were all reported by the same researcher. All list improper handling of objects in memory as a cause. In each case, a local user could run a specially crafted application to escalate privileges. In all, 21 January patches relate to a local privilege escalation in some form. Affected components include the Windows Subsystem for Linux, the Update Notification Manager, the Windows Kernel, and Microsoft Cryptographic Services.
There are two security feature bypass bugs this month, and both deserve mention. The first involves password creation, and it sounds like some creativity would be needed to exploit it as well. An attacker could create a password filter when creating a new password, which would result in a password that should have been blocked. I would love to hear the story of how the researchers discovered this scenario. The other bypass is for the OneDrive for Android app could allow an attacker to bypass the passcode or fingerprint requirements of the application. For this bug, you’ll need to download the update through the Google Play store.
There are a few RCE bugs fixed in Excel and Office. None of these bugs involve the Preview Pane and all require user interaction. There are also a handful of information disclosure bugs addressed in various Windows components. There are four Denial-of-Service (DoS) bugs fixed this month. A problem with hard links could make an affected Windows server unresponsive. RDP Gateway Servers also get a patch to fix a vulnerability that would allow a remote attacker to shut down an RDP Gateway Server. There’s also patches to address DoS bugs in Hyper-V and ASP.NET Core.
Wrapping up this release, there’s a spoofing bug in Office that could allow for cross-origin attacks on affected systems. The final patch from Microsoft for January fixes a cross-site scripting (XSS) bug in Microsoft Dynamics 365 (On-Premise).
No security advisories were released this month.
Looking Ahead
The next Patch Tuesday falls on February 11, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!