The April 2020 Security Update Review
April 14, 2020 | Dustin ChildsApril is here, and it brings another cornucopia of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.
Adobe Patches for April 2020
For April, Adobe released on three patches addressing five CVEs in Adobe ColdFusion, After Effects, and Digital Editions. All CVEs are rated Important and none are listed as being publicly known or under active attack at the time of release. The update for ColdFusion should be on the top of the deployment list as it includes a local privilege escalation (LPE) to go along with an info disclosure and denial-of-service bug. The update for After Effects, reported by ZDI researchers Mat Powell and Michael DePlante, corrects an info disclosure bug. The patch for Digital Editions also corrects a single information disclosure bug. Although there is no update for Flash this month, the window for the final Flash patches is closing as it goes out of support at the end of this year.
Microsoft Patches for April 2020
For April, Microsoft released patches for 113 CVEs covering Microsoft Windows, Microsoft Edge (EdgeHTML-based and Chromium-based), ChakraCore, Internet Explorer, Office and Office Services and Web Apps, Windows Defender, Visual Studio, Microsoft Dynamics, Microsoft Apps for Android, and Microsoft Apps for Mac. Of these 113 CVEs, 17 are rated Critical and 96 are rated Important in severity. Twelve of these CVEs were reported through the ZDI program. If you feel like there have been a lot of patches this year, you’re not wrong. Microsoft has seen a 44% increase* in the number of CVEs patched between January to April of 2020 compared to the same time period in 2019. Both an increasing number of researchers looking for bugs and an expanding portfolio of supported products likely caused this increase. It will be interesting to see if this pace continues, especially considering Microsoft will pause optional Windows 10 updates starting next month.
Three of the bugs addressed this month are listed as being under active attack, and two are listed as being public at the time of release. [NOTE: Microsoft initially listed CVE-2020-0968 a being under active attack. They have since revised this bulletin to note it is not under attack.] Let’s take a closer look at some of the more interesting updates for this month, starting with two of the bugs under active attack.
- CVE-2020-1020 – Adobe Font Manager Library Remote Code Execution Vulnerability
Initially disclosed back in late March, this bug is one of two reported to be targeting Windows 7 systems. Attackers can use this vulnerability to execute their code on affected systems if they can convince a user to view a specially crafted font. The code would run at the level of the logged-on user. Although the attacks specifically have targeted Windows 7 systems, not all Win7 systems will receive a patch since the OS left support in January of this year. Only those Windows 7 and Server 2008 customers with an ESU license will receive the patch.
- CVE-2020-0938 – OpenType Font Parsing Remote Code Execution Vulnerability
This bug is associated with the previous vulnerability, although it impacts a different font renderer. It too is listed as being under active attack. Again, an attacker could execute their code on a target system if a user viewed a specially crafted font. We should also note Windows 10 systems are less impacted by these bugs since the code execution would occur in an AppContainer sandbox. Win7 users will also need an ESU license for this patch.
- CVE-2020-0993 – Windows DNS Denial of Service VulnerabilityThis patch addresses a Denial-of-Service (DoS) bug in the Windows DNS service. Note that’s the DNS service and not the DNS Server, so client systems are also affected by this vulnerability. An attacker could cause the DNS service to be nonresponsive by sending some specially crafted DNS queries to an affected system. Since there is no code execution involved, the only gets rated as Important. However, considering the damage that could be done by an unauthenticated attacker, this should be high on your test and deploy list.
- CVE-2020-0981 – Windows Token Security Feature Bypass Vulnerability
It’s not often you see a security feature bypass directly result in a sandbox escape, but that’s exactly what this bug allows. The vulnerability results from Windows improperly handling token relationships. Attackers could abuse this to allow an application with a certain integrity level to execute code at a different – presumably higher – integrity level. The result is a sandbox escape. This only affects Windows 10 version 1903 and higher, so the code is a relatively recent addition.
Here’s the full list of CVEs released by Microsoft for April 2020.
CVE | Title | Severity | Public | Exploited | XI - Latest | XI - Older | Type |
CVE-2020-1020 | Adobe Font Manager Library Remote Code Execution Vulnerability | Important | Yes | Yes | 2 | 0 | RCE |
CVE-2020-0938 | OpenType Font Parsing Remote Code Execution Vulnerability | Important | No | Yes | 2 | 0 | RCE |
CVE-2020-1027 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | Yes | 0 | 1 | EoP |
CVE-2020-0935 | OneDrive for Windows Elevation of Privilege Vulnerability | Important | Yes | No | 2 | N/A | EoP |
CVE-2020-0969 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A | RCE |
CVE-2020-1022 | Dynamics Business Central Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0948 | Media Foundation Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0949 | Media Foundation Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0950 | Media Foundation Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0907 | Microsoft Graphics Components Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0687 | Microsoft Graphics Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0927 | Microsoft Office SharePoint XSS Vulnerability | Critical | No | No | 2 | 2 | XSS |
CVE-2020-0929 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0931 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0932 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0974 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0965 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0970 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A | RCE |
CVE-2020-0968 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 | RCE |
CVE-2020-0967 | VBScript Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0910 | Windows Hyper-V Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0942 | Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0944 | Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1029 | Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0784 | DirectX Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2020-0888 | DirectX Elevation of Privilege Vulnerability | Important | No | No | 2 | 1 | EoP |
CVE-2020-0964 | GDI+ Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0889 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0953 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0959 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0960 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0988 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0992 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0994 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0995 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0999 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1008 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0937 | Media Foundation Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0939 | Media Foundation Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0945 | Media Foundation Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0946 | Media Foundation Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0947 | Media Foundation Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0984 | Microsoft (MAU) Office Elevation of Privilege Vulnerability | Important | No | No | 2 | N/A | EoP |
CVE-2020-1002 | Microsoft Defender Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1049 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-1050 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-1018 | Microsoft Dynamics Business Central/NAV Information Disclosure | Important | No | No | 2 | 2 | Info |
CVE-2020-0906 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0979 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | N/A | 2 | RCE |
CVE-2020-0982 | Microsoft Graphics Component Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0987 | Microsoft Graphics Component Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1005 | Microsoft Graphics Component Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0961 | Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0760 | Microsoft Office Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0991 | Microsoft Office Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0923 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-0924 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-0925 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-0926 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-0930 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-0933 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-0954 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-0973 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-0978 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-0919 | Microsoft Remote Desktop App for Mac Elevation of Privilege Vulnerability | Important | No | No | 2 | N/A | EoP |
CVE-2020-1019 | Microsoft RMS Sharing App for Mac Elevation of Privilege Vulnerability | Important | No | No | 2 | N/A | EoP |
CVE-2020-0920 | Microsoft SharePoint Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0971 | Microsoft SharePoint Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0972 | Microsoft SharePoint Spoofing Vulnerability | Important | No | No | 2 | 2 | Spoof |
CVE-2020-0975 | Microsoft SharePoint Spoofing Vulnerability | Important | No | No | 2 | 2 | Spoof |
CVE-2020-0976 | Microsoft SharePoint Spoofing Vulnerability | Important | No | No | N/A | 2 | Spoof |
CVE-2020-0977 | Microsoft SharePoint Spoofing Vulnerability | Important | No | No | 2 | 2 | Spoof |
CVE-2020-0899 | Microsoft Visual Studio Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1014 | Microsoft Windows Update Client Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0980 | Microsoft Word Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0943 | Microsoft YourPhone Application for Android Authentication Bypass Vulnerability | Important | No | No | 2 | N/A | EoP |
CVE-2020-1026 | MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability | Important | No | No | 2 | N/A | SFB |
CVE-2020-0966 | VBScript Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0900 | Visual Studio Extension Installer Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0956 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2020-0957 | Win32k Elevation of Privilege Vulnerability | Important | No | No | N/A | 1 | EoP |
CVE-2020-0958 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2020-0699 | Win32k Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0962 | Win32k Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0835 | Windows Defender Antimalware Platform Hard Link Elevation of Privilege Vulnerability | Important | No | No | 2 | N/A | EoP |
CVE-2020-0794 | Windows Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2020-0993 | Windows DNS Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2020-0934 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0983 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1009 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1011 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1015 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0952 | Windows GDI Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1004 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2020-0917 | Windows Hyper-V Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0918 | Windows Hyper-V Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0913 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1000 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1003 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0955 | Windows Kernel Information Disclosure in CPU Memory Access | Important | No | No | 2 | 2 | Info |
CVE-2020-0821 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1007 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0940 | Windows Push Notification Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1001 | Windows Push Notification Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1006 | Windows Push Notification Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1017 | Windows Push Notification Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1016 | Windows Push Notification Service Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0936 | Windows Scheduled Task Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0981 | Windows Token Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 | SFB |
CVE-2020-0985 | Windows Update Stack Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0996 | Windows Update Stack Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0895 | Windows VBScript Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1094 | Windows Work Folder Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
Of the remaining Critical-rated patches, most are related to web browsers or some form of browse-and-own scenario. CVE-2020-0968 is listed as being under active attack, although the Exploit Index rating contradicts that notion. Hopefully, this will get clarified in an upcoming revision. [NOTE: Microsoft has revised the bulletin to remove the active attack designation.] The patches for Media Foundation Server fall into this category as well. Hyper-V also receives a Critical-rated patch for a Guest-to-Host escape. That would have been nice to see during the last Pwn2Own, where it could have won $250,000. Maybe next year. There are a couple of Critical-rated SharePoint bugs fixed this month, including some reported through the ZDI program. We’ll be blogging about the details of these bugs in the coming weeks. Stay tuned.
Beyond the code execution bugs, there’s also a cross-site scripting (XSS) bug in SharePoint that stands out. There are 10 SharePoint XSS bugs patched in this release, but only one (CVE-2020-0927) receives a Critical rating. Considering the write-ups for all are identical, it’s not clear why this patch rated higher than the others.
Looking at the Important-rated patches, there’s a total of 39 that address some form of Elevation of Privilege (EoP). One of the kernel EoP bugs, CVE-2020-1027, is listed as being under active attack, but only on newer systems. One of these patches represents the other publicly known bug. CVE-2020-0935 fixes a bug in OneDrive that could allow an EoP through symbolic links. Most people won’t need to take any action here as OneDrive has its own updater that periodically checks the OneDrive binary. However, those who are on air-gapped or otherwise restricted networks will need to manually update with the provided binary.
Two of the EoP patches impact products rarely seen on Patch Tuesday. The first is a patch for the Microsoft YourPhoneCompanion application for Android. This bug could allow an attacker to read your notifications if they have your device. The second is a patch for the RMS Sharing App for Mac. This one could allow authenticated attackers to load unsigned binaries. The remaining EoP bugs affect a wide array of Windows components, but in almost every case, an attacker would need to log on to an affected system then run a specially crafted application.
There are fixes for 16 information disclosure bugs this month. The other most notable addresses a bug in Microsoft Dynamics Business Central. Most info disclosure bugs leak uninitialized memory and must be combined with something else to gain code execution. For this bug (CVE-2020-1018), the vulnerability allows attackers to see information found in an otherwise masked field. Consequently, you could be exposing passwords with this bug.
Beyond the previously mentioned XSS bugs in SharePoint, there are also four Spoofing bugs in SharePoint receiving patches in April. These are very similar to the XSS bugs. In both cases, the vulnerabilities get fixed by properly sanitizing web requests.
There’s another security feature bypass being fixed, this one in the MSR JavaScript Cryptography Library. A bug in the library’s Elliptic Curve Cryptography (ECC) implementation could allow an attacker to learn information about a server’s private ECC key resulting in a key leakage attack. They could also craft an invalid ECDSA signature that still passes as valid.
The release is rounded out by a patch for a DoS bug in Windows that would allow a logged-on user to run a specially crafted application and cause the system to stop responding. This isn’t much of a concern unless multiple users are using the same system at the same time. In that scenario, one attacker could DoS everyone else using the system.
There are no new advisories for this month. There is an update to the Windows Servicing Stack, which adds updates for both client and server OS platforms this month.
Looking Ahead
The next Patch Tuesday falls on May 12, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!
*Source: Increase is calculated on the number of patches released by Microsoft from January through April of each respective year. Patch information was provided by the Microsoft Security Update Guide.