Microsoft has released its April 2020 Patch Tuesday security updates, its first big patch update released since the work-from-home era truly got underway. It’s a doozie, with the tech giant disclosing 113 vulnerabilities.
Out of these, 19 are rated as critical, and 94 are rated as important. Crucially, four of the vulnerabilities are being exploited in the wild; and two of them were previously publicly disclosed.
In all, the update includes patches for Microsoft Windows, Microsoft Edge (EdgeHTML-based and the Chromium-based versions), ChakraCore, Internet Explorer, Microsoft Office and Microsoft Office Services and Web Apps, Windows Defender, Visual Studio, Microsoft Dynamics, and Microsoft Apps for Android and Mac. They run the gamut from information disclosure and privilege escalation to remote code execution (RCE) and cross-site scripting (XSS).
Microsoft has seen a 44 percent increase year-over-year in the number of CVEs patched between January to April, according to Trend Micro’s Zero Day Initiative (ZDI) – a likely result of an increasing number of researchers looking for bugs and an expanding portfolio of supported products. In March, Patch Tuesday contained 115 updates; in February, Microsoft patched 99 bugs; and in January, it tackled 50 flaws.
Bugs Under Active Exploit
On the zero-day front, Microsoft patched CVE-2020-0968, a critical-level memory-corruption vulnerability in Internet Explorer that was exploited in the wild. The bug allows RCE, and exists due to the improper handling of objects in memory by the scripting engine.
“There are multiple scenarios in which this vulnerability could be exploited,” Satnam Narang, principal research engineer at Tenable, told Threatpost. “The primary way would be to socially engineer a user into visiting a website containing the malicious code, whether owned by the attacker, or a compromised website with the malicious code injected into it. An attacker could also socially engineer the user into opening a malicious Microsoft Office document that embeds the malicious code.”
Chris Hass, director of information security and research for Automox, told Threatpost that CVE-2020-0968 is a perfect vulnerability for use for drive-by compromise.
“If the current user is logged in as admin, an attacker could host a specially crafted website, hosting this vulnerability, once the unpatched user navigates the malicious site, the attacker could then exploit this bug, allowing the attacker to gain remote access the host,” he explained. “This bug would allow the attacker to view, change, delete data or even install ransomware.”
Although the scope of this vulnerability is somewhat limited because IE has seen a steady decline in user-base, it still remains an attractive vector for cybercriminals, Hass added.
Meanwhile, two of the actively exploited bugs are important-rated RCE issues related to the Windows Adobe Type Manager Library.
The first, CVE-2020-1020, was already made public. It arises because the library improperly handles a specially-crafted multi-master font, the Adobe Type 1 PostScript format.
“Attackers can use this vulnerability to execute their code on affected systems if they can convince a user to view a specially crafted font,” according to Dustin Childs, with ZDI, in a Patch Tuesday analysis. “The code would run at the level of the logged-on user.”
The related bug is the zero-day CVE-2020-0938, an RCE vulnerability that impacts an OpenType font renderer within Windows. Again, an attacker could execute code on a target system if a user viewed a specially crafted font.
Though the two are related, “there is currently no confirmation that the two are related to the same set of in-the-wild attacks,” Narang told Threatpost. As for attack vector, “to exploit these flaws, an attacker would need to socially engineer a user into opening a malicious document or viewing the document in the Windows Preview pane,” he added.
Both of these bugs have been used for Windows 7 systems – and Childs noted that not all Windows 7 systems will receive a patch since the OS left support in January of this year.
The final actively exploited bug – also not previously publicly disclosed – is CVE-2020-1027, which exists in the way that the Windows Kernel handles objects in memory. “An attacker who successfully exploited the vulnerability could execute code with elevated permissions,” according to Microsoft, which labeled the flaw “important.”
To exploit the vulnerability, a locally authenticated attacker would need to run a specially crafted application.
Other Priority Patches
Microsoft also patched several notable other bugs that researchers said admins should prioritize in the large update.
CVE-2020-0935 is the second previously disclosed issue, an important-rated privilege-elevation vulnerability found in OneDrive for Windows. It exists due to improper handling of symbolic links (shortcut links), and exploitation would allow an attacker to further compromise systems, execute additional payloads that may need higher privileges to be effective, or gain access to personal or confidential information that was not available previously.
“An attacker that has gained access to an endpoint could use OneDrive to overwrite a targeted file, leading to an elevated status,” Hass told Threatpost. “OneDrive is extremely popular and often installed by default on Windows 10. When you combine this with remote work, and the ever-growing use of personal devices for remote work, it makes the potential scope for this vulnerability pretty high.”
ZDI’s Childs also flagged an important-rated Windows DNS denial-of-service (DoS) bug, CVE-2020-0993, which affects client systems.
“An attacker could cause the DNS service to be nonresponsive by sending some specially crafted DNS queries to an affected system,” Childs wrote. “Considering the damage that could be done by an unauthenticated attacker, this should be high on your test and deploy list.”
Another, CVE-2020-0981, is an important-rated Windows token security feature bypass vulnerability that comes from Windows improperly handling token relationships in Windows 10 version 1903 and higher.
“It’s not often you see a security feature bypass directly result in a sandbox escape, but that’s exactly what this bug allows,” Childs explained. “Attackers could abuse this to allow an application with a certain integrity level to execute code at a different – presumably higher – integrity level.”
Critical SharePoint Bugs
SharePoint, a web-based collaborative platform that integrates with Microsoft Office, is often used as a document management and storage system. The platform saw its share of critical problems this month, including four critical RCE bugs, which arise from the fact that the software does not check the source markup of an application package, according to Microsoft’s advisory.
The bug tracked as CVE-2020-0929 paves the way for RCE and affects Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2010 Service Pack 2, Microsoft SharePoint Foundation 2013 Service Pack 1 and Microsoft SharePoint Server 2019.
A second critical bug (CVE-2020-0931) also would allow RCE; it affects Microsoft Business Productivity Servers 2010 Service Pack 2, Microsoft SharePoint Enterprise Server 2013 Service Pack 1, Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2013 Service Pack 1, and Microsoft SharePoint Server 2019.
Yet another RCE problem (CVE-2020-0932) impacts Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2013 Service Pack 1 and Microsoft SharePoint Server 2019; and CVE-2020-0974 affects Microsoft SharePoint Enterprise Server 2016 and Microsoft SharePoint Server 2019.
For all of the RCE bugs, “an attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account,” Microsoft said in the individual bug advisories. An attacker could exploit any of them by uploading a specially crafted SharePoint application package to an affected version of SharePoint.
SharePoint also harbors a fifth critical bug, CVE-2020-0927. This is an XSS flaw that affects Microsoft SharePoint Server 2019 and Enterprise Server 2016 and would allow spoofing.
Not One to Skip Amidst WFH
Even though IT and security organizations are already strained with the added stress of the sudden shift to remote working in the face of the coronavirus pandemic, April’s Patch Tuesday is not one to skip, Richard Melick, senior technical product manager at Automox, told Threatpost — least of all given the four actively exploited bugs.
“From increasingly diverse technological environments to a list of unknown connectivity factors, IT and SecOps managers need to create a deployment plan that addresses today’s zero-day, exploited and critical vulnerabilities within 24 hours and the rest within 72 hours in order to stay ahead of weaponization,” he advised. “Hackers are not taking time off; they are working just as hard as everyone else.”
Melick also said that the consequences of exploitation could be exacerbated given the work-from-home (WFH) lapses in security that may be present.
“With today’s remote workforce environment and the necessity of sharing documents through email or file share, all it takes is one phishing email, malicious website or exploited document to open the door for an attacker,” he said. “Once in, a malicious party would have the ability to modify data, install backdoors or new software, or gain full user rights accounts. While older versions of Windows are more susceptible to both exploits, the adoption rate of Windows 10 is only a little above 50 percent, leaving more than enough targets for attackers.”
Teams should be ready for plenty of overhead in terms of the patching work involved, added Jonathan Cran, head of research at Kenna Security.
“Given the shift to remote work for many organizations in combination with the current patch load from Oracle’s update earlier this week and what looks like a backlog of patching, this looks like a busy month for many security teams,” Cran told Threatpost. “We have yet to see how work from home impacts patching rates, but for security teams, installing numerous patches on remote employee laptops, likely via a corporate VPN to the Windows Server Update Services or Microsoft System Center Configuration Manager, will be a resource- and time-intensive endeavor.”
Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.