April 2020 Patch Tuesday: Microsoft fixes three actively exploited vulnerabilities
For the April 2020 Patch Tuesday, Adobe plugs 5 flaws and Microsoft 113, three of which are currently being exploited by attackers.
Adobe’s updates
On this Patch Tuesday, Adobe has released security updates for ColdFusion (2016 and 2018) for all platforms, After Effects (for Windows and macOS), and Digital Editions for Windows.
No critical vulnerabilities have been addressed this time. Both After Effects and Digital Editions are vulnerable to one single flaw each that could lead to information disclosure.
ColdFusion, a popular web application development platform, has received updates that fix vulnerabilities that could be exploited to perform application-lever DoS, privilege escalation, and system file structure disclosure.
The security advisory also notes that, in order for the Coldfusion update to secure the server, users must also update their ColdFusion JDK/JRE to the latest version of the LTS releases for 1.8 and JDK 11. Adobe has also pointed customers towards guides that should help them lock down their ColdFusion installations.
None of the fixed issues are under active attack.
Microsoft’s updates
As per usual, Microsoft has released patches for a wide variety of its software. 113 CVE-numbered vulnerabilities have been fixed, of which 17 are critical and 96 important.
First things first: two of the critical vulnerabilities can allow remote code execution and are under active exploitation.
CVE-2020-1020 and CVE-2020-0938 are two remote code execution flaws whose existence and active exploitation was revealed by Microsoft at the end of March.
Both affect the Windows Adobe Type Manager Library and both arise from how it improperly handles a specially-crafted multi-master font. They can be triggered by users viewing a specially crafted font/document or viewing it in the Windows Preview pane.
In the previously mentioned attacks in the wild, attackers used them to target Windows 7 users, though Windows 10, 8.1, RT 8.1 and various editions of Windows Server contain the vulnerable library. The risk they carry for Windows 10 machines is slight, i.e., a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.
“Although the attacks specifically have targeted Windows 7 systems, not all Win7 systems will receive a patch since the OS left support in January of this year. Only those Windows 7 and Server 2008 customers with an ESU license will receive the patch,” noted Trend Micro Zero Day Initiative’s Dustin Childs.
Other vulnerabilities of note in this batch:
CVE-2020-0935: an elevation of privilege vulnerability that arises from the OneDrive for Windows Desktop application improperly handling symbolic links. This one has been publicly disclosed, but is not actively exploited. “Most customers have been protected from this vulnerability because OneDrive has its own updater that periodically checks and updates the OneDrive binary,” Microsoft noted.
CVE-2020-0993: A DoS bug in the Windows DNS service, affecting client systems. Despite not allowing code execution, Childs believes it should be high on admins’ test and deploy list, because of the widespread damage an authenticated attacker could inflict through it.
There’s CVE-2020-0981, a Windows Token security feature bypass vulnerability that can allow a sandbox escape, but it affects only Windows 10 version 1903 and higher.
Jimmy Graham, Senior Director of Product Management at Qualys advises admins to prioritize:
- Scripting Engine, Adobe Font Manager Library, Media Foundation, Microsoft Graphics, and Windows Codecs patches for workstation-type devices. One of the patches fixes CVE-2020-0968, a RCE in Internet Explorer 11 and 9, which Microsoft initially flagged as being exploited in the wild.
- The patch for CVE-2020-1027, an actively exploited privilege escalation vulnerability in the Windows Kernel, for all Windows devices
- SharePoint patches covering RCE and XSS vulnerabilities for all SharePoint servers.
Less likely to be exploited but still important to be patched are a Hyper-V Hypervisor Escape flaw (CVE-2020-0910) and a RCE affecting Dynamics Business Central (CVE-2020-1022), he says.
“Organizations are already strained with the added stresses of the sudden shift to remote workers and the technological needs, but today’s Patch Tuesday is not one to skip,” noted Richard Melick, Sr. Technical Product Manager, Automox.
He advises IT and SecOps managers to create a deployment plan that addresses today’s zero-day, exploited, and critical vulnerabilities within 24 hours and the rest within 72 hours in order to stay ahead of weaponization.
Oracle’s updates
The April 2020 Patch Tuesday coincides with Oracle’s scheduled Critical Patch Update for April 2020.
It is yet to be released, but according to the pre-release announcement, 405 new security vulnerabilities will be addressed, in a wide variety of its offerings. Admins should take a peek at it and see whether there is extensive patching in their future.
UPDATE (April 15, 2020, 1:00 a.m. PT):
Microsoft has revised the update guide for CVE-2020-0968, the RCE in Internet Explorer 11 and 9, to say that it is not being exploited, so the number of actively exploited flaws is three instead of four. We’ve amended the article and the title to reflect this.
Oracle’s pre-release announcement has been replaced by the Critical Patch Update Advisory, which says that the CPU contains 397 new security patches.
VMware has also released a security update this Patch Tuesday, to fix Cross Site Scripting (XSS) and Open Redirect vulnerabilities (CVE-2020-3953, CVE-2020-3954) in VMware vRealize Log Insight, its centralized log management and intelligent analytics offering.