This month Microsoft released patches for 49 vulnerabilities with 8 rated “Critical” in severity.

 

All patches have been approved in our patch policy.

Overall this is a relatively light month for patches. The big news of course is the spoofing vulnerability (CVE-2020-0601) patched in Windows CryptoAPI Crypt32.dll) affecting Windows 10 and Windows Server 2016/2019 systems. The NSA privately disclosed this vulnerability to Microsoft. Its severity is rated “Important”. There are no reported cases of exploitation and it is considered difficult to leverage.  Also this month are patches for 3 critical RCEs in Remote Desktop Gateway and Remote Desktop Client (CVE-2020-0609, CVE-2020-0610 and CVE-2020-0611). These are rated “Critical” and packaged in the monthly Cumulative Update/Rollup. There are new .NET Framework patches for all versions. Finally, this is the last “Patch Day” for the Windows 7 and Server 2008/2008R2 operating systems.

 

FYI CryptoAPI Spoofing

January 2020 Security Updates: CVE-2020-0601

https://msrc-blog.microsoft.com/2020/01/14/january-2020-security-updates-cve-2020-0601/

 

SANS CVE-2020-0601 (“Curveball”) Test Page

https://curveballtest.com/index.html

 

Notable News – Support for Windows 7 has ended

Microsoft Security Response Center

January 2020 security updates are available!

https://msrc-blog.microsoft.com/2020/01/14/january-2020-security-updates-are-available/

“As a reminder, Windows 7 and Windows Server 2008 R2 will be out of extended support and no longer receiving updates as of January 14, 2020. We strongly recommend that you update any computers running Windows 7, Windows Server 2008, or Windows Server 2008 R2 so you will continue receiving security updates.”

 

Support for Windows 7 has ended

https://www.microsoft.com/en-ca/windows/windows-7-end-of-life-support-information

 

 

FYI [ADV990001] – New Servicing Stack Updates (SSU) for some operating systems.

Up to date SSUs are critical. Many do not show up in the regular Windows Updater scans and should be installed in the background automatically.  ClubMSP offers scripts to audit the current SSU version as well as installation scripts. It is recommended that all partners run the “MS Stack Audit” to determine if their machines are current. “MS Stack Audit AIO” can be used to install the newest SSU if necessary.

 

Disclosed: None

Exploited: None

 

Security Update Guide

https://portal.msrc.microsoft.com/en-us/security-guidance

 

Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com

 

Affected software include:

• Microsoft Windows
• Internet Explorer
• Microsoft Office, Office Services and Web Apps
• ASP.NET Core
• .NET Core
• .NET Framework
• OneDrive for Android
• Microsoft Dynamics

 

Microsoft Security Advisories

ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:1/14/2020)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001

Reason for Revision: A Servicing Stack Update has been released for all supported versions of Windows.

 

Known Issues

Microsoft is reporting no new known issues with any patches this month.

 

Other sources

We have seen some reports that the Windows 10 Cumulative Update KB4528760 for Windows 10 version 1903/1909 fails to install with error code 0xc1900403. This often seems to be an issue with the download. Many users have successfully installed by manually downloading and installing using the Microsoft Update Catalog (https://www.catalog.update.microsoft.com/Search.aspx?q=KB4528760) this Microsoft has no yet confirmed whether it is a bug.

 

Good resource for known issues with Windows 10 patches. Click on the version in the left column for the status of known issues.

Windows 10 release information

https://docs.microsoft.com/en-us/windows/release-information/

 

Monthly Rollup/Security Only/Windows 10/Server 2016,2019 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

 

Security and Quality Rollup

• KB4534310 – Windows 7, Windows Server 2008 R2
• KB4534297 – Windows 8.1, Windows Server 2012 R2
• KB4534283 – Windows Server 2012
• KB4534303 – Windows Server 2008

 

Security Only Update

• KB4534314 – Windows 7, Windows Server 2008 R2
• KB4534309 – Windows 8.1, Windows Server 2012 R2
• KB4534288 – Windows Server 2012
• KB4534312 – Windows Server 2008

 

Cumulative Update for Windows 10

• KB4534306 – Original release version 1507 (OS Build 10240)
• None – Version 1511 (OS Build 10586)
• KB4534271 – Version 1607 “Anniversary Update” (OS Build 14393)
• KB4534296 – Version 1703 “Creators Update” (OS Build 15063)
• KB4534276 – Version 1709 “Fall Creators Update” (OS Build 16299)
• KB4534293 – Version 1803 “Spring Creators Update” (OS Build 17134)
• KB4534273 – Version 1809 “October 2018 Update” (OS Build 17763)
• KB4528760 – Version 1903 “May 2019 Update” (OS Build 18362)
• KB4528760 – Version 1909 “November 2019 Update” (OS Build 18363)

 

Note: Server 2016 uses the same KB as Windows 10 Version 1607. Server 2019 uses the same KB as Windows 10 Version 1809.

 

KB4534251 – Cumulative Security Update for Internet Explorer 9/10/11

This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.

 

None – Security Update for Adobe Flash Player

 

January 2020 updates for Microsoft Office

https://support.microsoft.com/en-us/help/4536554/january-2020-updates-for-microsoft-office

 

Notable CVEs

CVE-2020-0601 | Windows CryptoAPI Spoofing Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.

An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.

A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

 

CVE-2020-0609 | Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609

A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP.

The update addresses the vulnerability by correcting how RD Gateway handles connection requests.

 

CVE-2020-0610 | Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610

A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP.

The update addresses the vulnerability by correcting how RD Gateway handles connection requests.

 

CVE-2020-0611 | Remote Desktop Client Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0611

A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to have control of a server and then convince a user to connect to it. An attacker would have no way of forcing a user to connect to the malicious server, they would need to trick the user into connecting via social engineering, DNS poisoning or using a Man in the Middle (MITM) technique. An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect.

The update addresses the vulnerability by correcting how the Windows Remote Desktop Client handles connection requests.