Patch Tuesday – April 2020

This month’s Patch Tuesday is the first after Covid-19 forced significantly more of us to work from home. And hackers are taking advantage of the global health crisis by targeting users and companies in creative ways. So, while employees might be out of sight of the IT department, they shouldn’t be out of mind.

Windows and Windows Server

I reported last month that a flaw in the Windows Adobe Type Manager Library is actively being exploited by hackers. As part of a security advisory, Microsoft warned that there are two remote code execution (RCE) flaws rated Critical in the library that can be exploited in several ways. A hacker could convince a user to open a specially crafted document or just view it in File Explorer’s preview pane.

The RCE flaws are in the way Windows handles a specially crafted multi-master font. The Adobe Type Manager library is built-in to Windows and it is used to render PostScript Type1 fonts. As part of April’s Patch Tuesday updates, Microsoft released fixes both RCE issues. For more information, see Microsoft Issues Security Advisory for Zero-Day in Adobe Type Manager Library on Petri.

A third zero-day has also been patched (CVE-2020-1027). It is an elevation of privilege vulnerability in the way the kernel handles objects in memory. It could let an attacker run code with elevated privileges if they are able to authenticate locally and run a specially crafted application.

The three zero-days are all rated Important. But there are also 7 RCE bugs rated Critical that get patches this month. The patches affect Microsoft Graphics Components, Windows Hyper-V, the Windows font library, Windows Media Foundation, and the Microsoft Windows Codecs Library.

Among the remaining fixes rated Important, there’s a patch for a flaw when Windows fails to properly handle token relationships. It could let an attacker execute code at a different integrity level, enabling them to escape a sandbox.

OneDrive gets a patch for a previously known bug in the way the OneDrive for Windows Desktop application handles symbolic links. An attacker could use the bug to overwrite a targeted file and then elevate privileges. To exploit this flaw, an attacker would need to log on to the system and run a specially crafted application. The bug could allow an attacker to take control of a system.

A bug (CVE-2020-0993) in the DNS client service gets patched. It could let an attacker cause the DNS client service to become unresponsive if specially-crafted DNS queries are sent to unpatched systems.

Finally, legacy Edge’s ChakraCore gets two patches for critical RCE flaws. As does Internet Explorer 11 and EdgeHTML.

Microsoft Office

Office 365 ProPlus gets 6 RCE fixes rated Important. CVE-2020-0991 is a vulnerability that could let an attacker take control of a system if a user is logged in with administrator rights. CVE-2020-0906, a flaw in the way Excel handles objects in memory, could also let an attacker take control if a user is logged in with an administrator account.

Microsoft Exchange, SharePoint, and SQL Server

There are no patches this month for Exchange Server or SQL Server. But SharePoint Server gets several fixes rated Important, Critical, and Moderate. They include spoofing and RCE bugs. All 5 patches rated Critical are for RCE vulnerabilities. All involve a vulnerability where SharePoint fails to check the source markup of an application package. An attacker could use the flaws to run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.

Adobe software

There’s no security update for Flash Player this month. Although, Adobe has issued patches rated Important for ColdFusion, After Effects, and Digital Editions.