Patch Tuesday – January 2020
This month is relatively quiet but there are nevertheless, and as always, critical patches that need your attention. So, let’s get started…
Windows and Windows Server
This month there are three critical remote code execution (RCE) flaws patched in Windows. The first (CVE-2020-0611) is in the Windows Remote Desktop Client and it could be exploited if a user connects to a malicious server. The attacker could install software, modify data, and create new users with full user rights. This flaw would require the attacker to trick the user into connecting to a malicious server, either by compromising a legitimate server, by using social engineering, DNS poisoning, or using a man-in-the middle attack.
The second critical RCE vulnerability (CVE-2019-1468) is in the Win32k component and how it handles embedded fonts. An attacker could take control of a system, install programs, modify data, and create new accounts with full user rights. Users without administrative privileges and less impacted by this bug. The flaw could be exploited using a specially designed website or by opening a file.
The last critical RCE (CVE-2019-1471) this month is in how a host Hyper-V server fails to properly validate input from an authenticated user in a guest operating system. An attacker would need to run a specially crafted application in the guest operating system to exploit this flaw and cause the Hyper-V host server to run arbitrary code.
The most prominent flaw however is a spoofing vulnerability (CVE-2020-0601) in the CryptoAPI and how it validates Elliptic Curve Cryptography (ECC) certificates. This bug is the first ever to be reported to Microsoft by the NSA. And it’s especially interesting because in the past the NSA has kept flaws to itself, assumedly with the intention of weaponizing them. If you remember WannaCry was based on an exploit called EternalBlue that supposedly leaked from the NSA.
CVE-2020-0601 could be used to exploit the flaw using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file is from a trusted source. If successfully exploited, an attacker could perform a man-in-the-middle attack and decrypt confidential data using the infected software. The update makes sure that Windows completely validates ECC certificates. This flaw only affects Windows 10, Windows Server 2016, and Windows Server 2019.
Internet Explorer 11 gets a patch (CVE-2020-0640) for a critical RCE where it improperly accesses objects in memory. It could allow an attacker to run arbitrary code in the context of the currently logged in user. So, users without administrative rights are less impacted. To exploit the vulnerability, an attacker would need to persuade a user to go to a specially crafted website.
Office 365 ProPlus gets patches for four important RCEs. CVE-2020-0650, CVE-2020-0651, and CVE-2020-0653 are all in Excel and the way it fails to properly handle objects in memory. The flaws could be used to run arbitrary code in the context of the logged in user. An attacker would need to persuade the user to open a specially crafted file. CVE-2020-0652 is also a memory flaw in the Office suite and in the same vein as the previous three.
Microsoft Exchange, SharePoint, and SQL Server
There are no security patches this month for Exchange Server, SharePoint Server, or SQL Server.
There’s no security patch for Adobe Flash Player this month. But the player is updated, nevertheless. Illustrator CC 2019 gets a patch for a critical memory corruption flaw that could let an attacker run arbitrary code. Adobe Experience Manager also gets an update that resolves multiple vulnerabilities.
More in Security
Build 2022: Microsoft Boosts Data Analytics and Cybersecurity in New Training & Certifications
May 24, 2022 | Rabia Noureen
Microsoft Defender for Office 365 to Get Preset Security Policy Improvements In June
May 23, 2022 | Rabia Noureen
Microsoft Detects 254% Spike in XorDDoS Attacks on Linux Servers
May 23, 2022 | Rabia Noureen
CISA Warns Federal Agencies to Mitigate Critical VMware Vulnerabilities by May 23
May 20, 2022 | Rabia Noureen
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
F5 Confirms New Remote Code Execution Flaw in BIG-IP Systems
May 9, 2022 | Rabia Noureen
Most popular on petri