April Patch Tuesday 2020
This month Microsoft resolved 113 unique common vulnerabilities and exposures (CVEs), 19 of which are rated as critical. This month’s updates include three zero-day vulnerabilities and two public disclosures. All three zero-day vulnerabilities exist on Windows 7, Server 2008, and Server 2008 R2 versions, so if you are still running on those versions of the Windows OS and have not already looked into Extended Security Updates (ESU) support you are at increased risk.
Microsoft has released updates for Windows, Internet Explorer, Edge and Edge (Chromium), Microsoft Office, SharePoint, Windows Defender, Visual Studio, Microsoft Dynamics, Microsoft Apps for Android and Apps for Mac.
Microsoft has resolved two Critical vulnerabilities (CVE-2020-1020 and CVE-2020-0938) in Adobe Font Manager Library that are actively being exploited. CVE-2020-1020 has also been publicly disclosed, increasing the accessibility of this exploit to threat actors. If exploited, an attacker could execute code remotely and could install programs; view, change or delete data; or create new accounts with full admin rights. Windows 10 systems restrict the execution of malicious code to an AppContainer sandbox with limited privileges and capabilities. Since this is a user targeted vulnerability, an attacker could target someone with a specially crafted document. This vulnerability is exploitable through the Windows Preview Pane.
Microsoft has resolved an Important vulnerability in the Windows Kernel (CVE-2020-1027) which could allow an Elevation of Privilege. An attacker could take advantage of how the Windows Kernel handles objects in memory to elevate their permissions and take control of the affected system. The attacker would need to be locally authenticated to run a specially crafted application in order to take advantage of this vulnerability. In an advanced persistent threat scenario this vulnerability would be used in concert with another vulnerability that allows the attacker to gain access to the user’s system to gain elevated access to a system where they would otherwise only have limited access.
Microsoft has resolved an Important vulnerability in OneDrive (CVE-2020-0935) that has been publicly disclosed. The vulnerability could allow an attacker to elevate their privilege level which could enable them to run a specially crafted application to take control of the affected system. OneDrive has an update feature that periodically checks and updates the OneDrive binary, so most customers should already be protected from this vulnerability.
Oracle has their quarterly Critical Patch Update (CPU) releasing today as well. This CPU addresses 405 new security vulnerabilities across multiple products including Java SE.
Ivanti priorities for this month would be to focus on the Windows OS and browser updates as well as Oracle Java as the top priorities.