This month Microsoft released patches for 113 vulnerabilities with 17 rated “Critical” and 96 “Important” in severity.

 

All patches have been approved in our patch policy.

 

April brings a large number of patches but relatively few problems with them. Depending on what you read there are 3 or 4 zero-day patches.  The fourth was an Internet Explorer flaw (CVE-2020-0968) which was revised to not actively exploited. The 3 Zero-Days are CVE-2020-0938, CVE-2020-1020 and CVE-2020-1027. CVE-2020-0938 is a flaw in the Adobe Font Manager library. CVE-2020-1020 is a bug in the Adobe Font Manager library. Both can be leveraged by getting a Windows user to open a malicious document or viewing one with the Windows Preview Pane. CVE-2020-1027 is an elevation of privilege vulnerability with the way Windows Kernel handles objects in memory

A few new SSUs. No Adobe Flash security updates (though there is an application update reported in our third party updates). Surprisingly no Windows Malicious Software Removal Tool update.

In response to COVID-19 Microsoft is suspending all optional Windows 10 updates starting May 2020 and will be prioritizing security updates.

 

FYI: Check the Windows message center for changes due to the current public health situation.

https://docs.microsoft.com/en-us/windows/release-information/windows-message-center#405

Revised end of service date for Windows 10, version 1809

“The final security update for these editions of Windows 10, version 1809 will be released on November 10, 2020 instead of May 12, 2020.”

Revised end of service date for Windows 10, version 1709

“The final security update for these editions of Windows 10, version 1709 will be released on October 13, 2020 instead of April 14, 2020.”

Timing for upcoming Windows optional C and D releases

“Starting in May 2020, we are pausing all optional non-security releases”

 

Disclosed: CVE-2020-0935, CVE-2020-1020

Exploited: CVE-2020-0938, CVE-2020-1020, CVE-2020-1027

 

Security Update Guide

https://portal.msrc.microsoft.com/en-us/security-guidance

 

Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com

 

Affected software include:

  • Microsoft Windows
  • Microsoft Edge (EdgeHTML-based)
  • Microsoft Edge (Chromium-based)
  • ChakraCore
  • Internet Explorer
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Windows Defender
  • Visual Studio
  • Microsoft Dynamics
  • Microsoft Apps for Android
  • Microsoft Apps for Mac

 

 

Microsoft Security Advisories

 

ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:4/14/2020)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001

Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.

 

ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability (Published:03/23/2020 | Last Updated:03/24/2020)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006

Microsoft has become aware of limited targeted Windows 7 based attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library, and is providing the following guidance to help reduce customer risk until the security update is released. We appreciate the efforts of our industry partners and are complying with a 7-day timeline for disclosing information regarding these limited attacks.

Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format.

 

Known Issues

Microsoft Office security updates might block some types of Visual Basic for Applications (VBA) references.

Older operating systems may have trouble installing apps using .msi files published with a Group Policy Object (GPO).

 

Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.

 

Microsoft Office security updates

Some types of Visual Basic for Applications (VBA) references might be affected by Microsoft Office security updates

Symptom:”When you install one of the Microsoft Office security updates that are listed in Microsoft Common Vulnerabilities and Exposures CVE-2020-0760, you might notice that some types of Visual Basic for Applications (VBA) references are blocked, and you receive an error message…”

CVE-2020-0760 | Microsoft Office Remote Code Execution Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0760

Workaround: FAQ for VBA solutions affected by April 2020 Office security updates

https://support.microsoft.com/en-us/help/4557055/faqs-vba-solutions-impacted-april-2020-office-security-updates

 

All OS Windows 10 1803 and older

https://support.microsoft.com/en-us/help/4550922

Symptom: Devices on a domain might be unable to install apps published using a Group Policy Object (GPO). This issue only affects app installations that use .msi files. It does not affect any other installation methods, such as from the Microsoft Store.

Workaround: To mitigate this issue, manually install the app on the device. We are working on a resolution and will provide an update in an upcoming release.

 

Good resource for known issues with Windows 10 patches. Click on the version in the left column for the status of known issues.

Windows 10 release information

https://docs.microsoft.com/en-us/windows/release-information/

 

Monthly Rollup/Security Only/Windows 10/Server 2016,2019 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

 

Security and Quality Rollup

  • KB4550964 – Windows 7, Windows Server 2008 R2 (ESU)
  • KB4550961 – Windows 8.1, Windows Server 2012 R2
  • KB4550917 – Windows Server 2012
  • KB4550951 – Windows Server 2008 (ESU)

 

Security Only Update

  • KB4550965 – Windows 7, Windows Server 2008 R2 (ESU)
  • KB4550970 – Windows 8.1, Windows Server 2012 R2
  • KB4550971 – Windows Server 2012
  • KB4550957 – Windows Server 2008 (ESU)

 

Cumulative Update for Windows 10

  • KB4550930 – Original release version 1507 (OS Build 10240)
  • None – Version 1511 (OS Build 10586)
  • KB4550929 – Version 1607 “Anniversary Update” (OS Build 14393)
  • KB4550939 – Version 1703 “Creators Update” (OS Build 15063)
  • KB4550927 – Version 1709 “Fall Creators Update” (OS Build 16299)
  • KB4550922 – Version 1803 “Spring Creators Update” (OS Build 17134)
  • KB4549949 – Version 1809 “October 2018 Update” (OS Build 17763)
  • KB4549951 – Version 1903 “May 2019 Update” (OS Build 18362)
  • KB4549951 – Version 1909 “November 2019 Update” (OS Build 18363)

 

Note: Server 2016 uses the same KB as Windows 10 Version 1607. Server 2019 uses the same KB as Windows 10 Version 1809.

 

KB4550905 – Cumulative Security Update for Internet Explorer 9/10/11

This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.

 

None – Security Update for Adobe Flash Player

 

April 2020 updates for Microsoft Office

https://support.microsoft.com/en-us/help/4549670/april-2020-updates-for-microsoft-office

 

Notable CVEs

 

CVE-2020-0935 | OneDrive for Windows Elevation of Privilege Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0935

An elevation of privilege vulnerability exists when the OneDrive for Windows Desktop application improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

The update addresses this vulnerability by correcting how OneDrive handles symbolic links.

 

CVE-2020-0938 | Adobe Font Manager Library Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938

A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format.

For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.

The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts.

 

CVE-2020-0981 | Windows Token Security Feature Bypass Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0981

A security feature bypass vulnerability exists when Windows fails to properly handle token relationships.

An attacker who successfully exploited the vulnerability could allow an application with a certain integrity level to execute code at a different integrity level, leading to a sandbox escape.

The update addresses the vulnerability by correcting how Windows handles token relationships

 

CVE-2020-0993 | Windows DNS Denial of Service Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0993

A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive.

To exploit the vulnerability, an authenticated attacker could send malicious DNS queries to a target, resulting in a denial of service.

The update addresses the vulnerability by correcting how Windows DNS processes queries.

 

CVE-2020-1020 | Adobe Font Manager Library Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020

A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format.

For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.

The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts.

 

CVE-2020-1027 | Windows Kernel Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1027

An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.

To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.

The security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory.