This month’s Microsoft Patch Tuesday addresses 50 vulnerabilities with only 8 of them labeled as Critical. Of the 8 Critical vulns, one is for browser and scripting engines, 3 are for .NET Framework and one for ASP.NET. In addition, Microsoft has patched 3 critical RCEs in Remote Desktop Gateway and Remote Desktop Client. Adobe issued patches today for Illustrator CC and Experience Manager.
A spoofing vulnerability (CVE-2020-0601) has been patched in Windows CryptoAPI (Crypt32.dll). An attacker can perform man-in-the-middle attacks and decrypt confidential information on user connections to the affected software by using a spoofed code-signing certificate. Although Microsoft rated this as Important, NSA privately disclosed this vulnerability to Microsoft and should be prioritized on all systems. NSA recommends installing the patch as soon as possible to effectively mitigate the vulnerability on all Windows 10 and Windows Server 2016/2019 systems. For more details, see Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601) – How to Detect and Remediate.
Scripting Engine, Browser, and .NET Framework patches patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
A Remote Code Execution vulnerability (CVE-2020-0611) has been patched in the Remote Desktop Client. Exploiting this vulnerability would require a target to connect to a malicious Remote Desktop Server.
Two remote code execution vulnerabilities (CVE-2020-0610 and CVE-2020-0609) have been patched in Remote Desktop Gateway that would require an attacker to send specially crafted request to the RD gateway on the target systems via RDP. These patches should be prioritized on all systems where the Remote Desktop Gateway is used.
Today was a light release for Adobe. They have fixed one critical vulnerability in Illustrator CC, which should be prioritized on any workstation-type systems. Adobe also fixed three Important-rated and one moderate-rated information disclosure vulnerabilities in Experience Manager.
Critical vulnerabilities should be prioritized on all devices.