Patch Tuesday – January 2020

This month is relatively quiet but there are nevertheless, and as always, critical patches that need your attention. So, let’s get started…

Windows and Windows Server

This month there are three critical remote code execution (RCE) flaws patched in Windows. The first (CVE-2020-0611) is in the Windows Remote Desktop Client and it could be exploited if a user connects to a malicious server. The attacker could install software, modify data, and create new users with full user rights. This flaw would require the attacker to trick the user into connecting to a malicious server, either by compromising a legitimate server, by using social engineering, DNS poisoning, or using a man-in-the middle attack.

The second critical RCE vulnerability (CVE-2019-1468) is in the Win32k component and how it handles embedded fonts. An attacker could take control of a system, install programs, modify data, and create new accounts with full user rights. Users without administrative privileges and less impacted by this bug. The flaw could be exploited using a specially designed website or by opening a file.

The last critical RCE (CVE-2019-1471) this month is in how a host Hyper-V server fails to properly validate input from an authenticated user in a guest operating system. An attacker would need to run a specially crafted application in the guest operating system to exploit this flaw and cause the Hyper-V host server to run arbitrary code.

The most prominent flaw however is a spoofing vulnerability (CVE-2020-0601) in the CryptoAPI and how it validates Elliptic Curve Cryptography (ECC) certificates. This bug is the first ever to be reported to Microsoft by the NSA. And it’s especially interesting because in the past the NSA has kept flaws to itself, assumedly with the intention of weaponizing them. If you remember WannaCry was based on an exploit called EternalBlue that supposedly leaked from the NSA.

CVE-2020-0601 could be used to exploit the flaw using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file is from a trusted source. If successfully exploited, an attacker could perform a man-in-the-middle attack and decrypt confidential data using the infected software. The update makes sure that Windows completely validates ECC certificates. This flaw only affects Windows 10, Windows Server 2016, and Windows Server 2019.

Internet Explorer 11 gets a patch (CVE-2020-0640) for a critical RCE where it improperly accesses objects in memory. It could allow an attacker to run arbitrary code in the context of the currently logged in user. So, users without administrative rights are less impacted. To exploit the vulnerability, an attacker would need to persuade a user to go to a specially crafted website.

Microsoft Office

Office 365 ProPlus gets patches for four important RCEs. CVE-2020-0650, CVE-2020-0651, and CVE-2020-0653 are all in Excel and the way it fails to properly handle objects in memory. The flaws could be used to run arbitrary code in the context of the logged in user. An attacker would need to persuade the user to open a specially crafted file. CVE-2020-0652 is also a memory flaw in the Office suite and in the same vein as the previous three.

Microsoft Exchange, SharePoint, and SQL Server

There are no security patches this month for Exchange Server, SharePoint Server, or SQL Server.

Adobe Software

There’s no security patch for Adobe Flash Player this month. But the player is updated, nevertheless. Illustrator CC 2019 gets a patch for a critical memory corruption flaw that could let an attacker run arbitrary code. Adobe Experience Manager also gets an update that resolves multiple vulnerabilities.