News

Microsoft's April Patch Rollout Tackles Over 110 CVEs

• By Kurt Mackie
• 04/15/2020

Microsoft's latest security patch bundle, released Tuesday, was another hefty one.

The April rollout addresses about 113 common vulnerabilities and exposures (CVEs), according to assessments by Dustin Childs of Trend Micro's Zero Day Initiative (ZDI) blog and Todd Schell, Ivanti's senior product manager for security. The Cisco Talos blog found a total of 115 CVEs in Microsoft's April bundle.

Microsoft's patch load for this year has been heavy. The CVE count for Microsoft's software in 2020 (January through April) is up 44 percent compared with the same period last year, Childs noted.

Microsoft doesn't provide a patch count each month, but its main publication is its "Security Update Guide," with 129 pages of mind-numbing detail this time. Microsoft's April "Release Notes" document listed fixes arriving for Windows, Windows Defender, Edge and Internet Explorer, Microsoft Office, Microsoft Dynamics, Visual Studio, plus apps for Android and Mac.

About 19 of the CVEs in Microsoft's April bundle are rated "Critical" by Microsoft. About 96 in the bundle got the "Important" rating.

There were no new security advisories released for this month.

Microsoft issued new Servicing Stack Updates (SSUs) for Windows systems, as usual, which are described in its updated ADV990001 Security Advisory. SSUs are fixes for Microsoft's update services and they are supposed to be applied first. SSUs get the Critical rating from Microsoft, even though they aren't the same thing as security patches.

Exploited and Public CVEs
Three of the CVEs are listed as having been already exploited, which increases risks for organizations, according to Schell. Two of the CVEs were publicly known before the April patch release.

The three exploited CVEs ("zero days") are all rated Important, and include:

• CVE-2020-1020, a remote code execution (RCE) issue in the Adobe Font Manager Library, which is also listed as being publicly known, and was the subject of a security advisory released in late March.
• CVE-2020-0938, an RCE issue in the OpenType Font Manager Library.
• CVE-2020-1027, an elevation-of-privilege issue in the Windows kernel.

CVE-2020-1020 and CVE-2020-0938, listed above, both affect the out-of-support Windows 7 operating system as well as newer systems, but organizations will need to have an Extended Security Updates agreement in place to receive the April patches for Windows 7 systems, Childs noted. CVE-2020-1020 is rated just Important on Windows 10 systems due to its sandboxing capabilities. Windows 10 features the use of an "AppContainer sandbox with limited privileges and capabilities," according to Ivanti's Schell.

CVE-2020-1027, the Windows kernel elevation-of-privilege flaw, would require an attacker "to be locally authenticated to run a specially crafted application in order to take advantage of this vulnerability," Schell noted. It could be used in an advanced persistent threat scenario, he added.

The other publicly known issue, CVE-2020-0935, is an Important elevation-of-privilege flaw in the OneDrive for Windows desktop storage application. To exploit it, an attacker would have to log onto a system and run a "specially crafted application" to be able to "take control of an affected system," according to Microsoft's security bulletin description.

Notable Critical CVEs
Jon Munshaw of Cisco Talos highlighted some of the 19 Critical CVEs addressed in this month's patch bundle.

CVE-2020-0687 is an RCE vulnerability in the Windows Font Library. An attack requires getting someone to visit a Web site or open a file, but the vulnerability would "allow a malicious actor to gain complete control of the affected machine," Munshaw indicated.

CVE-2020-0929, CVE-2020-0931 and CVE-2020-0932 are all SharePoint RCE vulnerabilities, but they seem pretty bad. "To exploit these vulnerabilities, an attacker needs to upload a specially crafted SharePoint package to an affected version of SharePoint, allowing them to execute arbitrary code in the SharePoint application pool and the SharePoint server," Munshaw explained.

CVE-2020-0907 is an RCE vulnerability in Microsoft Graphics Components due to improper handling of objects in memory. It can "only be triggered when a user opens a specially crafted file," Munshaw stated.

CVE-2020-0968 and CVE-2020-0970 are memory corruption vulnerabilities in Internet Explorer's Windows scripting engine. Exploits would require getting a user to visit a Web site or to open a Microsoft Office document, according to Munshaw. The Microsoft Edge browser's Chakra scripting engine also has a memory corruption vulnerability that could lead to code execution per the CVE-2020-0969 bulletin.

For even more patch talk, Ivanti plans to hold its monthly Patch Tuesday Web talk on April 15, with sign-up located here.