ID CVE-2020-0653 Type cve Reporter cve@mitre.org Modified 2020-01-21T21:46:00
Description
A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0650, CVE-2020-0651.
{"symantec": [{"lastseen": "2020-01-15T00:26:16", "bulletinFamily": "software", "cvelist": ["CVE-2020-0653"], "description": "### Description\n\nMicrosoft Excel is prone to a remote code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Office 365 ProPlus for 32-bit Systems \n * Microsoft Office 365 ProPlus for 64-bit Systems \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2020-01-14T00:00:00", "published": "2020-01-14T00:00:00", "id": "SMNTC-111406", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/111406", "type": "symantec", "title": "Microsoft Excel CVE-2020-0653 Remote Code Execution Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}], "mscve": [{"lastseen": "2020-08-07T11:48:19", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-0653"], "description": "A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n\nExploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Excel. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.\n\nThe security update addresses the vulnerability by correcting how Microsoft Excel handles objects in memory.\n", "edition": 2, "modified": "2020-01-14T08:00:00", "id": "MS:CVE-2020-0653", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0653", "published": "2020-01-14T08:00:00", "title": "Microsoft Excel Remote Code Execution Vulnerability", "type": "mscve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-06-05T15:41:43", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0652", "CVE-2020-0653", "CVE-2020-0651", "CVE-2020-0650"], "description": "This host is missing an important security\n update according to Microsoft Office Click-to-Run updates.", "modified": "2020-06-04T00:00:00", "published": "2020-01-15T00:00:00", "id": "OPENVAS:1361412562310815562", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815562", "type": "openvas", "title": "Microsoft Office 365 (2016 Click-to-Run) Multiple Vulnerabilities-Jan20", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815562\");\n script_version(\"2020-06-04T08:47:11+0000\");\n script_cve_id(\"CVE-2020-0650\", \"CVE-2020-0651\", \"CVE-2020-0652\", \"CVE-2020-0653\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 08:47:11 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-15 13:20:37 +0530 (Wed, 15 Jan 2020)\");\n script_name(\"Microsoft Office 365 (2016 Click-to-Run) Multiple Vulnerabilities-Jan20\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Office Click-to-Run updates.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error in Microsoft Office software, it fails to properly handle objects\n in memory.\n\n - An error in icrosoft Excel software, it fails to properly handle objects\n in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code and conduct a denial-of-service attack.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office 365 (2016 Click-to-Run).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/officeupdates/office365-proplus-security-updates\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_office_click2run_detect_win.nasl\");\n script_mandatory_keys(\"MS/Off/C2R/Ver\", \"MS/Office/C2R/UpdateChannel\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nofficeVer = get_kb_item(\"MS/Off/C2R/Ver\");\nif(!officeVer || officeVer !~ \"^16\\.\"){\n exit(0);\n}\n\nUpdateChannel = get_kb_item(\"MS/Office/C2R/UpdateChannel\");\nofficePath = get_kb_item(\"MS/Off/C2R/InstallPath\");\n\n## 1912 (Build 12325.20298)\nif(UpdateChannel == \"Monthly Channel\")\n{\n if(version_is_less(version:officeVer, test_version:\"16.0.12325.20298\")){\n fix = \"1912 (Build 12325.20298)\";\n }\n}\n\n## 1908 (Build 11929.20562)\nelse if(UpdateChannel == \"Semi-Annual Channel (Targeted)\")\n{\n if(version_is_less(version:officeVer, test_version:\"16.0.11929.20562\")){\n fix = \"1908 (Build 11929.20562)\";\n }\n}\n\n## 1902 (Build 11328.20512)\n## 1808 (Build 10730.20432)\n## 1908 (Build 11929.20562)\nelse if(UpdateChannel == \"Semi-Annual Channel\")\n{\n if(version_is_less(version:officeVer, test_version:\"16.0.10730.20432\")){\n fix = \"1808 (Build 10730.20432)\";\n }\n\n else if(version_in_range(version:officeVer, test_version:\"16.0.11328\", test_version2:\"16.0.11328.20512\")){\n fix = \"1902 (Build 11328.20512)\";\n }\n\n else if(version_in_range(version:officeVer, test_version:\"16.0.11929\", test_version2:\"16.0.11929.20562\")){\n fix = \"1908 (Build 11929.20562)\";\n }\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:officeVer, fixed_version:fix, install_path:officePath);\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T11:47:05", "bulletinFamily": "info", "cvelist": ["CVE-2020-0652", "CVE-2020-0653", "CVE-2020-0654", "CVE-2020-0647", "CVE-2020-0651", "CVE-2020-0650"], "description": "### *Detect date*:\n01/14/2020\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Office. Malicious users can exploit these vulnerabilities to bypass security restrictions, execute arbitrary code, spoof user interface.\n\n### *Affected products*:\nMicrosoft Office 2019 for Mac \nMicrosoft Office 2016 (32-bit edition) \nMicrosoft Office 2010 Service Pack 2 (64-bit editions) \nMicrosoft Office 2010 Service Pack 2 (32-bit editions) \nMicrosoft Excel 2013 RT Service Pack 1 \nMicrosoft Excel 2010 Service Pack 2 (32-bit editions) \nMicrosoft Office 2013 RT Service Pack 1 \nMicrosoft Office 2016 for Mac \nMicrosoft Excel 2013 Service Pack 1 (32-bit editions) \nMicrosoft Excel 2016 (64-bit edition) \nMicrosoft Excel 2013 Service Pack 1 (64-bit editions) \nMicrosoft Office 2019 for 32-bit editions \nOffice Online Server \nMicrosoft Office 2013 Service Pack 1 (32-bit editions) \nMicrosoft Excel 2016 (32-bit edition) \nOne Drive for Android \nMicrosoft Office 2019 for 64-bit editions \nOffice 365 ProPlus for 32-bit Systems \nOffice 365 ProPlus for 64-bit Systems \nMicrosoft Excel 2010 Service Pack 2 (64-bit editions) \nMicrosoft Office 2016 (64-bit edition) \nMicrosoft Office 2013 Service Pack 1 (64-bit editions)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-0654](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0654>) \n[CVE-2020-0652](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0652>) \n[CVE-2020-0653](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0653>) \n[CVE-2020-0650](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0650>) \n[CVE-2020-0651](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0651>) \n[CVE-2020-0647](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0647>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Office](<https://threats.kaspersky.com/en/product/Microsoft-Office/>)\n\n### *CVE-IDS*:\n[CVE-2020-0654](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0654>)0.0Unknown \n[CVE-2020-0652](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0652>)0.0Unknown \n[CVE-2020-0653](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0653>)0.0Unknown \n[CVE-2020-0650](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0650>)0.0Unknown \n[CVE-2020-0651](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0651>)0.0Unknown \n[CVE-2020-0647](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0647>)0.0Unknown\n\n### *KB list*:\n[4484221](<http://support.microsoft.com/kb/4484221>) \n[4484236](<http://support.microsoft.com/kb/4484236>) \n[4484234](<http://support.microsoft.com/kb/4484234>) \n[4484243](<http://support.microsoft.com/kb/4484243>) \n[4484217](<http://support.microsoft.com/kb/4484217>) \n[4484227](<http://support.microsoft.com/kb/4484227>) \n[4484223](<http://support.microsoft.com/kb/4484223>)\n\n### *Microsoft official advisories*:", "edition": 1, "modified": "2020-05-22T00:00:00", "published": "2020-01-14T00:00:00", "id": "KLA11633", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11633", "title": "\r KLA11633Multiple vulnerabilities in Microsoft Office ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2020-01-17T23:27:08", "bulletinFamily": "blog", "cvelist": ["CVE-2020-0601", "CVE-2020-0602", "CVE-2020-0603", "CVE-2020-0605", "CVE-2020-0606", "CVE-2020-0607", "CVE-2020-0608", "CVE-2020-0609", "CVE-2020-0610", "CVE-2020-0611", "CVE-2020-0612", "CVE-2020-0613", "CVE-2020-0614", "CVE-2020-0615", "CVE-2020-0616", "CVE-2020-0617", "CVE-2020-0620", "CVE-2020-0621", "CVE-2020-0622", "CVE-2020-0623", "CVE-2020-0624", "CVE-2020-0625", "CVE-2020-0626", "CVE-2020-0627", "CVE-2020-0628", "CVE-2020-0629", "CVE-2020-0630", "CVE-2020-0631", "CVE-2020-0632", "CVE-2020-0633", "CVE-2020-0634", "CVE-2020-0635", "CVE-2020-0636", "CVE-2020-0637", "CVE-2020-0638", "CVE-2020-0639", "CVE-2020-0640", "CVE-2020-0641", "CVE-2020-0642", "CVE-2020-0643", "CVE-2020-0644", "CVE-2020-0646", "CVE-2020-0647", "CVE-2020-0650", "CVE-2020-0651", "CVE-2020-0652", "CVE-2020-0653", "CVE-2020-0654", "CVE-2020-0656"], "description": "[](<http://3.bp.blogspot.com/-bIERk6jqSvs/XKypl8tltSI/AAAAAAAAFxU/d9l6_EW1Czs7DzBngmhg8pjdPfhPAZ3yACK4BGAYYCw/s1600/recurring%2Bblog%2Bimages_patch%2Btuesday.jpg>) \n \n \n \n \n \n \n \n \n \n \n_By Jon Munshaw._ \n_ \n_**Updated January 15th: Added an Advanced Custom Detection (ACD) signature for AMP that can be used to detect exploitation of CVE-2020-0601 by **_**spoofing certificates masquerading as a Microsoft ECC Code Signing Certificate Authority.**_ \n \nMicrosoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's [Patch Tuesday](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Jan>) covers 49 vulnerabilities, eight of which are considered critical. \n \nThis month's security update is particularly important for its disclosure of two vulnerabilities related to a core cryptographic component in all versions of Windows. CVE-2020-0601 could allow an attacker to use cryptography to sign a malicious executable, making the file appear as if it was from a trusted source. The victim would have no way of knowing if the file was malicious. Cyber security reporter Brian Krebs [says the vulnerability is so serious](<https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/>), Microsoft secretly deployed a patch to branches of the U.S. military prior to today. \n \nJanuary's update is also the last that will provide free updates to Windows 7 and Windows Server 2008/2008 R2. \n \nTalos also released a new set of [SNORT\u24c7 rules](<https://snort.org/advisories/talos-rules-2020-01-14>) that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post [here](<https://blog.snort.org/2020/01/snort-rule-update-for-jan-14-2020.html>). \n \n\n\n### Critical vulnerabilities\n\nMicrosoft disclosed eight critical vulnerabilities this month, all of which we will highlight below. \n \n[CVE-2020-0603](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0603>), [CVE-2020-0605](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0605>), [CVE-2020-0606](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0606>) and [CVE-2020-0646](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0646>) are all remote code execution vulnerabilities in the .NET and ASP.NET core software. All four of these vulnerabilities can be triggered if a user opens a malicious, specially crafted file while using an affected version of .NET or ASP.NET Core. If successful, an attacker could then execute arbitrary code in the context of the current user. These bugs exist in how the software handles objects in memory. \n \n[CVE-2020-0609](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609>) and [CVE-2020-0610](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610>) are remote code execution vulnerabilities in the Windows Remote Desktop Protocol Gateway Server. An attacker could exploit these bugs by sending a specially crafted request to the victim's system RDP Gateway via RDP. This vulnerability is pre-authentication and does not require any user interaction. \n \n[CVE-2020-0611](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0611>) is a remote code execution vulnerability in the Windows Remote Desktop Protocol client. This vulnerability can be triggered if a user visits a malicious, specially crafted server. An attacker would need to trick the user into connecting to this server, either via a malicious file or a man-in-the-middle technique. The attacker could then execute arbitrary code on the victim's machine. \n \n[CVE-2020-0640](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0640>) is a memory corruption vulnerability that exists in the way the Internet Explorer web browser handles objects in memory. An attacker could use this bug to corrupt the victim machine, and then gain the ability to execute arbitrary code. A user can trigger this vulnerability by visiting a malicious, attacker-controlled web page in Internet Explorer. \n \n\n\n### Important vulnerabilities\n\nThis release also contains 41 important vulnerabilities, three of which we will highlight below. \n \n[CVE-2020-0601](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601>) is a spoofing vulnerability in Windows CryptoAPI. The specific component, crypt32.dll, improperly validates Elliptic Curve Cryptography certificates. An attacker could exploit this bug to spoof a code-signing certificate and secretly sign a file, making that file appear as if it is from a trusted source. A malicious actor could also use this vulnerability to conduct man-in-the-middle attacks and decrypt confidential information. \n \n[CVE-2020-0616](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0616>) is a denial-of-service vulnerability in Windows due to the way the operating system handles hard links. An attacker needs to log onto the victim machine to exploit this bug, and then run a specially crafted application that would allow them to overwrite system files. \n \n[CVE-2020-0654](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0654>) is a vulnerability in the OneDrive app for Android devices that could allow an attacker to bypass certain security features. If the user access a link to a file on a OneDrive folder a certain way, they could bypass the passcode or fingerprint requirements for the app. \n \nThe other important vulnerabilities are: \n\n\n * [CVE-2020-0602](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0602>)\n * [CVE-2020-0607](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0607>)\n * [CVE-2020-0608](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0608>)\n * [CVE-2020-0612](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0612>)\n * [CVE-2020-0613](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0613>)\n * [CVE-2020-0614](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0614>)\n * [CVE-2020-0615](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0615>)\n * [CVE-2020-0617](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0617>)\n * [CVE-2020-0620](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0620>)\n * [CVE-2020-0621](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0621>)\n * [CVE-2020-0622](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0622>)\n * [CVE-2020-0623](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0623>)\n * [CVE-2020-0624](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0624>)\n * [CVE-2020-0625](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0625>)\n * [CVE-2020-0626](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0626>)\n * [CVE-2020-0627](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0627>)\n * [CVE-2020-0628](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0628>)\n * [CVE-2020-0629](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0629>)\n * [CVE-2020-0630](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0630>)\n * [CVE-2020-0631](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0631>)\n * [CVE-2020-0632](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0632>)\n * [CVE-2020-0633](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0633>)\n * [CVE-2020-0634](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0634>)\n * [CVE-2020-0635](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0635>)\n * [CVE-2020-0636](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0636>)\n * [CVE-2020-0637](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0637>)\n * [CVE-2020-0638](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0638>)\n * [CVE-2020-0639](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0639>)\n * [CVE-2020-0641](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0641>)\n * [CVE-2020-0642](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0642>)\n * [CVE-2020-0643](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0643>)\n * [CVE-2020-0644](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0644>)\n * [CVE-2020-0647](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0647>)\n * [CVE-2020-0650](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0650>)\n * [CVE-2020-0651](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0651>)\n * [CVE-2020-0652](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0652>)\n * [CVE-2020-0653](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0653>)\n * [CVE-2020-0656](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0656>)\n\n### Coverage \n\nIn response to these vulnerability disclosures, Talos is releasing a new SNORT\u24c7 rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org. \n \nThese rules are: 52593 - 52596, 52604, 52605 \n \n\n\n#### AMP Advanced Custom Detection (ACD) signature\n\n \nWhile there can be multiple ways that an attacker can exploit CVE-2020-0601, AMP can be used to detect spoofed certificates that are masquerading as a Microsoft ECC Certificate Authority by adding an advanced custom detection signature. The process to add this signature can be found in the [AMP documentation](<https://docs.amp.cisco.com/AMP%20for%20Endpoints%20User%20Guide.pdf>) on page 33 in the Outbreak Control section under custom detections. The actual custom signature that needs to be added can be downloaded [here](<https://blogs.cisco.com/cve-2020-0601-2>). \n\n", "modified": "2020-01-17T10:14:27", "published": "2020-01-17T10:14:27", "id": "TALOSBLOG:6A8FEAE9B7E20A5AA1A11907296891AF", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/6XqA-qeq9Xs/microsoft-patch-tuesday-jan-2020.html", "type": "talosblog", "title": "Microsoft Patch Tuesday \u2014 Jan. 2020: Vulnerability disclosures and Snort coverage", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
