Tuesday, April 14, 2020

Microsoft Patch Tuesday — April 2020: Vulnerability disclosures and Snort coverage

By Jon Munshaw. 

Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 115 vulnerabilities. Nineteen of the flaws Microsoft disclosed are considered critical. The remainders are scored as being “important” updates.

This month’s security update covers security issues in a variety of Microsoft services and software, including SharePoint, the Windows font library and the Windows kernel. A Cisco Talos researcher discovered CVE-2020-0939, an information disclosure vulnerability in Microsoft Media Foundation. For more, check out Talos’ full Vulnerability Spotlight here.

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here.


Critical vulnerabilities 

Microsoft disclosed 19 critical vulnerabilities, 10 of which we will highlight below.

CVE-2020-0687 is a remote code execution vulnerability that exists in the way the Windows font library handles some embedded fonts stored in memory. An attacker could exploit this bug by tricking a victim into visiting a specially crafted website or opening a malicious file that contains an affected embedded font. This vulnerability acts in a way that would allow a malicious actor to gain complete control of the affected machine, giving them the ability to install new programs, manipulating data and creating new user accounts.

CVE-2020-0907 is a remote code execution vulnerability in Microsoft Graphics Components that arises when the system improperly handles objects in memory. This bug can only be triggered when a user opens a specially crafted file. The attacker could then gain the ability to execute arbitrary code.

CVE-2020-0929, CVE-2020-0931, CVE-2020-0932 are remote code execution vulnerabilities in Microsoft SharePoint. To exploit these vulnerabilities, an attacker needs to upload a specially crafted SharePoint package to an affected version of SharePoint, allowing them to execute arbitrary code in the SharePoint application pool and the SharePoint server.

CVE-2020-0938 and CVE-2020-1020 are remote code execution vulnerabilities that arises when Windows Adobe Type Manager Library processes certain types of OpenType and multi-master font - Adobe Type 1 PostScript fonts, respectively. If an attacker were to exploit this bug on any operating system other than Windows 10, they could gain the ability to execute arbitrary code remotely. On Windows 10, they would be limited to executing code in the AppContainer sandbox with limited privileges.

CVE-2020-0968 and CVE-2020-0970 are memory corruption vulnerabilities in the Windows scripting engine inside the Internet Explorer web browser. These bugs could corrupt memory in such a way that would allow an attacker to execute arbitrary code in the context of the current user. An adversary could exploit these vulnerabilities by tricking a user into visiting a specially crafted site in Internet Explorer. Alternatively, they could embed an ActiveX control marked "safe for initialization" in a Microsoft Office document or other application that hosts the Internet Explorer rendering engine, and then trick the user into opening that file.

CVE-2020-0969 is a memory corruption vulnerability in the Microsoft Edge web browser’s Chakra scripting engine. An attacker could exploit this flaw by tricking a user into visiting a specially crafted, malicious website. This would then corrupt the memory on the victim machine in such a way that the actor could gain the ability to execute arbitrary code in the context of the current user.

The other critical vulnerabilities disclosed this month are:

Important vulnerabilities 

This release also contains 96 important vulnerabilities, eight of which we will highlight below.

CVE-2020-0760 is a remote code execution vulnerability in Microsoft Office that arises when a victim opens a specially crafted, malicious Office document. The flaw exists in when Office improperly handles certain type libraries — allowing the attacker to execute arbitrary code in the context of the current user.

CVE-2020-0784 is an elevation of privilege vulnerability in DirectX that could allow a malicious actor to execute arbitrary code in kernel mode. To successfully exploit this flaw, an attacker needs to log onto the affected system, and then run a specially crafted application.

CVE-2020-0956, CVE-2020-0957, CVE-2020-0958 are all elevation of privilege vulnerabilities in the Windows kernel-mode driver that could allow an attacker to execute arbitrary code in kernel mode. To successfully exploit this flaw, an attacker needs to log onto the affected system, and then run a specially crafted application.

CVE-2020-1004 is an elevation of privilege vulnerability in Windows Graphics Component. Exploitation of this vulnerability can only take place in the local context, requiring a malicious user to run a specially crafted application of the victim machine. If successful, the attacker could run certain processes in an elevated context.

CVE-2020-1005 is an information disclosure vulnerability in the Windows Graphics Component that arises when the software improperly handles objects in memory. An attacker could exploit this flaw by logging on to an affected machine and running a specially crafted application. This could force the victim machine to disclose sensitive information that the attacker could then use in additional attacks.

CVE-2020-1027 is an elevation of privilege vulnerability in the Windows Kernel that could allow a malicious user to gain the ability to execute arbitrary code with elevated privileges. The malicious actor would need to be already locally authenticated, and then run a specially crafted application.

The other important vulnerabilities are:

Coverage  

In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

These rules are: 53489 - 53492, 53619 - 53630,  53652 - 53655

No comments:

Post a Comment