8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
Making the reviews of Microsoft Patch Tuesday vulnerabilities should be an easy task. All vulnerability data is publicly available. Even better, dozens of reviews have already been written. Just read them, combine and post. Right?
Not really. In fact it is quite boring and annoying. It may be fun to write about vulnerabilities that were already used in some real attacks. But this is a very small part of all vulnerabilities. What about more than a hundred others? They are like “some vulnerability in some component may be used in some attack (or may be not)”. If you describe each of them, no one will read or listen this.
You must choose what to highlight. And when I am reading the reports from Tenable, Qualys and ZDI, I see that they choose very different groups of vulnerabilities, pretty much randomly.
That's why I created a script that takes Patch Tuesday CVE data from microsoft.com and visualizes it giving me helicopter view on what can be interesting there. With nice grouping by vulnerability type and product, with custom icons for vulnerability types, coloring based on severity, etc.
April 2020 Microsoft Patch Tuesday was published on 14.04.2020 and addressed 113 CVEs. 2 CVEs less than in March, but still too many to discuss them separately. 18 CVEs are critical (other reports say 19, but you can count it yourself) and 3 were exploited in the wild. These 3 are the most interesting, I've got them by "exploited" parameter in Microsoft CVE data.
Microsoft has finally released a patch for the Adobe Type Manager vulnerability (CVE-2020-1020). The advisory ADV200006 appeared on Microsoft website 23.03.2020, 3 week before this patch. The advisory stated, that this vulnerability was used in targeted attack in the wild. That's why it was discussed a lot. The idea is simple. If you open a special file or preview it in Explorer, remote code execution will occur. It is noted that previewing it in Microsoft Outlook is safe. This vulnerability is great for phishing attacks, in addition, it is also possible to exploit it through Web Distributed Authoring and Versioning (WebDAV). It is an extension of the HTTP that allows clients to perform remote Web content authoring operations. It is used, for example, in Microsoft SharePoint or ownCloud. And Microsoft claims that exploitation through WebDAV is the most likely attack vector.
I called this vulnerability "confusing" in the title because:
> To be clear and despite its name, this is not Adobe code. Microsoft was given the source code for ATM Light for inclusion in Windows 2000/XP. After that, Microsoft took 100% responsibility for maintaining the code.
>
> – Rosyna Keller (@rosyna) March 23, 2020
Another vulnerability in the Adobe Font Manager Library (CVE-2020-0938) is very similar to previous CVE-2020-1020, although it impacts a different font renderer.
The last exploited vulnerability is the Elevation of Privilege (EoP) in Windows kernel (CVE-2020-1027). To exploit the vulnerability, a locally authenticated attacker should run a specially crafted application. Also all versions of Windows from Windows 7 to Windows 10 and from Windows Server 2008 to Windows Server 2019 are vulnerable.
> We discovered CVE-2020-1027 being exploited in the wild and reported it on 23 March under a 7-day deadline (used only for actively exploited bugs). Microsoft asked for an extension due to current global circumstances and we agreed. Patch details at <https://t.co/VF3SqXHYV9> (1/2)
>
> – Tim Willis (@itswillis) April 14, 2020
What else can be interesting? I filtered the CVEs with "Exploitation more likely" flag for current and older versions.
As you can see, the most interesting vulnerability is Scripting Engine Memory Corruption Vulnerability (CVE-2020-0968), which in fact affects Internet Explorer. An attacker can make a specially crafted website that is designed to exploit the vulnerability through Internet Explorer, or use the embedded an ActiveX control in application or Microsoft Office document. As a result, an attacker can execute arbitrary code in the context of the current user.
Other more likely to be exploitable vulnerabilities are Elevation of Privilege in DirectX, Windows Graphics Component and Windows Kernel. Not much information is available for them. "An attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system".
What about other 103 vulnerabilities that are less likely to be exploited according to Microsoft. I made groups for products with more then 5 vulnerabilities.
So, the most interesting groups are Jet Database Engine and Microsoft SharePoint, both have RCEs.
All other vulnerabilities in different products I combined by vulnerability type. Interesting EoP in OneDrive for Windows, but "most customers have been protected from this vulnerability because OneDrive has its own updater that periodically checks and updates the OneDrive binary".
Zero Day Initiative recommends to note Denial-of-Service in the Windows DNS service (CVE-2020-0993). "Considering the damage that could be done by an unauthenticated attacker". At the same time Microsoft website says: "To exploit the vulnerability, an authenticated attacker could send malicious DNS queries to a target, resulting in a denial of service". It seems like a mistake on ZDI or MS, but worth mentioning.
So, that's it for April Patch Tuesday. What about the interesting vulnerabilities from February and March?
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C