Microsoft has released April Patch Tuesday security updates, addressing a total of 113 vulnerabilities in the family of Windows operating systems and related products. Out of these, 19 are classified as Critical and 94 as Important which includes Microsoft Office Services and Web Apps, Internet Explorer, Microsoft Windows, Edge (EdgeHTML-based and Chromium-based), Microsoft Apps for Mac, Microsoft Dynamics, Windows Defender, and ChakraCore.
All of the critical bugs are remote code execution that resides in the Internet Explorer, ChakraCore, Windows, Microsoft SharePoint, Scripting engine, Media Foundation component, and Microsoft Dynamics.
Three zero-days are under active attack and the two (CVE-2020-1020, CVE-2020-0938) of them being public at the time of release get the highest attention. They were discovered and reported by Google’s two security teams — Project Zero and the Threat Analysis Group (TAG).
Zero-day and Under Active Exploit Vulnerabilities:
Adobe Font Manager Library Remote Code Execution Vulnerability | CVE-2020-1020 | CVE-2020-0938:
Attackers utilized these vulnerabilities to target Windows 7 users, though Windows 10, 8.1, RT 8.1 and different releases of Windows Server contain the vulnerable library. Although Windows 10 machines are slightly less vulnerable, as a successful attack could only bring about code execution within an AppContainer sandbox setting with constrained privileges and capabilities.
There are multiple ways an attacker could exploit the vulnerability, for example, persuading a user to open a specially made document or viewing it in the Windows Preview pane.
Windows Kernel Elevation of Privilege Vulnerability | CVE-2020-1027:
There exists a privilege elevation vulnerability while handling memory objects in Windows Kernel handles. Successful exploitation of the vulnerability could execute code with kernel access with elevated privileges.
Other Interesting Vulnerabilities:
Scripting Engine Memory Corruption Vulnerability | CVE-2020-0968:
Initially, this vulnerability was considered a zero-day but later Microsoft issued a correction on the CVE-2020-0968 security advisory to update its exploitation status. This vulnerability has not been exploited in the wild.
A remote code execution vulnerability exists in Internet Explorer while scripting engine handling the objects in memory. Successful exploitation of the vulnerability could corrupt memory and allows the attacker to execute arbitrary code in the context of the current user.
In a web-based attack scenario, an attacker could host a maliciously crafted website that will exploit the vulnerability through Internet Explorer and then persuade a user to view the website. Also, an attacker could exploit an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.
The attacker could also take advantage of compromised websites and sites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.
OneDrive for Windows Elevation of Privilege Vulnerability | CVE-2020-0935 :
An elevation of privilege vulnerability arises from the OneDrive for Windows Desktop application while handling symbolic links.
Successful exploitation of the vulnerability could allow an attacker to overwrite a targeted file leading to an elevated status and also, could run a specially crafted application that could exploit the vulnerability and take control of an affected system but an attacker would first have to log on to the system.
Windows DNS Denial of Service Vulnerability | CVE-2020-0993:
A denial of service vulnerability exists in Windows DNS when it fails to properly handle DNS queries. Successful exploitation of the vulnerability could cause the DNS service to become nonresponsive.
To exploit the vulnerability, an authenticated attacker could send malicious DNS queries to a target, resulting in a denial of service.
Windows Token Security Feature Bypass Vulnerability| CVE-2020-0981:
A security feature bypass vulnerability exists in Windows while handling token relationships that allow sandbox escape. This only affects Windows 10 version 1903 and higher.
Successful exploitation of the vulnerability could allow an attacker to run an application with a certain integrity level is permitted to execute code at a different integrity level, leading to a sandbox escape.
Microsoft Security Bulletin Summary for April 2020:
- Microsoft Windows
- Microsoft Edge (EdgeHTML-based)
- Internet Explorer
- Microsoft Office and Microsoft Office Services and Web Apps
- Windows Defender
- Visual Studio
- Microsoft Dynamics
- Microsoft Apps for Mac
Product: Microsoft Windows
CVEs/Advisory: CVE-2020-0687, CVE-2020-0699, CVE-2020-0784, CVE-2020-0794, CVE-2020-0821, CVE-2020-0888, CVE-2020-0889, CVE-2020-0907, CVE-2020-0910, CVE-2020-0913, CVE-2020-0917, CVE-2020-0918, CVE-2020-0934, CVE-2020-0936, CVE-2020-0937, CVE-2020-0938, CVE-2020-0939, CVE-2020-0940, CVE-2020-0942, CVE-2020-0944, CVE-2020-0945, CVE-2020-0946, CVE-2020-0947, CVE-2020-0948, CVE-2020-0949, CVE-2020-0950, CVE-2020-0952, CVE-2020-0953, CVE-2020-0955, CVE-2020-0956, CVE-2020-0958, CVE-2020-0959, CVE-2020-0960, CVE-2020-0962, CVE-2020-0964, CVE-2020-0965, CVE-2020-0981, CVE-2020-0982, CVE-2020-0983, CVE-2020-0985, CVE-2020-0987, CVE-2020-0988, CVE-2020-0992, CVE-2020-0993, CVE-2020-0994, CVE-2020-0995, CVE-2020-0996, CVE-2020-0999, CVE-2020-1000, CVE-2020-1001, CVE-2020-1003, CVE-2020-1004, CVE-2020-1005, CVE-2020-1006, CVE-2020-1007, CVE-2020-1008, CVE-2020-1009, CVE-2020-1011, CVE-2020-1014, CVE-2020-1015, CVE-2020-1016, CVE-2020-1017, CVE-2020-1020, CVE-2020-1027, CVE-2020-1029, CVE-2020-1094
Impact: Denial of Service, Elevation of Privilege, Information Disclosure, Remote Code Execution, Security Feature Bypass
KBs: 4549949, 4549951, 4550917, 4550922, 4550927, 4550929, 4550930, 4550961, 4550970, 4550971
Product: Internet Explorer
CVEs/Advisory: CVE-2020-0895, CVE-2020-0966, CVE-2020-0967, CVE-2020-0968
Impact: Remote Code Execution
KBs: 4549949, 4549951, 4550905, 4550917, 4550922, 4550927, 4550929, 4550930, 4550951, 4550961, 4550964
Product: Microsoft Office and Microsoft Office Services and Web Apps
CVEs/Advisory: CVE-2020-0760, CVE-2020-0906, CVE-2020-0961, CVE-2020-0980, CVE-2020-0991
Impact: Remote Code Execution
KBs: 3128012, 3203462, 4011104, 4475609, 4484117, 4484126, 4484214, 4484229, 4484238, 4484258, 4484260, 4484266, 4484287, 4484290, 4484294, 4484296,
Product: Windows Defender
Impact: Elevation of Privilege
Product: Microsoft Apps for Mac
Impact: Remote Code Execution