Three previously exploited Windows zero-day vulnerabilities are to be addressed as a priority with Microsoft’s April security update. Of the 113 flaws covered by this Patch Tuesday, several important patches concern the Microsoft hypervisor, SharePoint and the ERP for SMEs Dynamics Business Central.
On April 14, the 2nd Tuesday of the month, Microsoft delivered a security update roughly equivalent to that of last month in terms of vulnerabilities fixed, 113 against 115 in March, by intervening on 19 critical vulnerabilities (against 26 in March ) and 94 rated important. The delivery includes patches for three zero-day vulnerabilities that are already exploited, CVE-2020-1020, CVE-2020-0938 and CVE-2020-1027, the first two being rated critical or important depending on Windows versions, while the severity of the 3rd is important. Even if the critical level is not declared for the latter, the application of patches is a priority for these three flaws on Windows terminals, points out the security specialist Qualys on his blog. The CVE-2020-1027 vulnerability addresses an elevation of privilege risk in how the Windows kernel manipulates objects in memory, Microsoft says. If exploited by an attacker, authenticated locally using a purpose-built application, it would allow code to be executed with elevated permissions. The fix takes priority on all Windows devices, says Jimmy Graham of Qualys.
The other two zero-day flaws, CVE-2020-1020 and CVE-2020-0938, were announced in March. These remote code execution vulnerabilities appear in Windows when the Adobe Type Manager library improperly handles a specially developed multi-master Adobe Type 1 PostScript font. Code could then be executed remotely. Apart from Windows 10, all versions of the Microsoft OS are affected. In Windows 10, the risk is partially reduced, but an attacker could still run code in an AppContainer sandbox context with limited privileges and capabilities, Microsoft says. He could install programs, view, change or delete data, or create new accounts with full user rights. Many means can be used to exploit these flaws. The attacker could for example try to convince the user to open a malicious document or display it in preview. Even if the risk is lower for Windows 10, these patches must be installed as a priority on all Windows workstations.
Hyper-V, SharePoint and Dynamics BC/NAV to fix quickly
Hyper-V, Microsoft’s virtualization system, is among the other software to be patched this month. A remote code execution flaw, CVE-2020-0910, would allow an authenticated user on a guest system to execute arbitrary code on the host system. Even if it is unlikely according to Microsoft, this patch is also a priority. In addition, the SharePoint document sharing solution has five vulnerabilities to fix, four are remotely executable, CVE-2020-0929, CVE-2020-0931, CVE-2020-0932, CVE-2020-0974, the 5th is a XSS (cross-site scripting) flaw, CVE-2020-0927, which arises when SharePoint Server does not correctly intervene on specifically crafted requests, which could lead to the injection of malicious content into the web browser of the user.
The ERP for SMEs, Dynamics Business Central, is also affected by the updates, with a remote code execution flaw, CVE-2020-1022, allowing to launch arbitrary kernel commands on the victim’s server. To exploit it, the attacker must convince the latter to connect to a malicious Dynamics Business Central client or elevate the access permission to the system. Although considered not very exploitable by Microsoft, Qualys considers that its correction is a priority on all Dynamics BC/NAV systems because the targets are sensitive servers for their users.
Fixes for Edge, IE, Visual Studio, Apps…
In addition to Windows and the software already mentioned, several versions of Office (including Word, Excel, Visio, Publisher, Access), Office Services, Web Apps and Project are affected by this Patch Tuesday, as well as Edge web browsers (on EdgeHTML and on Chromium) and Internet Explorer and the ChakraCore engine, but also Windows Defender, Visual Studio, as well as Apps for Mac and Android.
As for the Adobe patches delivered, these apply in particular to ColdFusion, After Effects and Digital Editions software for flaws deemed important.