Booby-trapped Office files, NSA tipping off Windows code-signing bugs, RDP flaws… • DigitalMunition
Patch Tuesday In the first Patch Tuesday of the year, Microsoft finds itself joined by Adobe, Intel, VMware, and SAP in dropping scheduled security updates.
49 fixes from Microsoft
This month's Microsoft security fixes include three more remote-code-execution vulnerabilities in Redmond's Windows Remote Desktop Protocol software. Two of the flaws (CVE-2020-0609, CVE-2020-0610) are present on the server side in RD Gateway – requiring no authentication – while a third (CVE-2020-0611) is found on the client side.
Dustin Childs of the Trend Micro Zero Day Initiative notes that the two gateway flaws in particular are vulnerable to attacks.
"This code execution occurs at the level of the server and is pre-auth and without user interaction," Childs pointed out. "That means these bugs are wormable – at least between RDP Gateway Servers."
NSA issues warning
Also dropping this month is CVE-2020-0601, a spoofing vulnerability that has been heavily hyped over the past 24 hours by the NSA.
According to Microsoft, the vulnerability is present in the Windows Crypto API for Windows 10, Server 2016, and Server 2019. It is traced back to blunders in the validation of Elliptic Curve Cryptography certificates. The end result is the ability for a miscreant to forge code-signing certificates to make malware appear to come from a trusted application developer.
The NSA took things a step further, suggesting [PDF] that the bug could not only be used to disguise software nasties, but also to intercept secured network connections.
"NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable," the security bod said. "The consequences of not patching the vulnerability are severe and widespread."
Despite Uncle Sam's dire warnings, Microsoft says there is no evidence of the flaw being targeted in the wild and its severity level is listed as "important," a step below the critical remote code execution bugs in RDP, .NET (CVE-2020-0603, CVE-2020-0605, CVE-2020-0606, CVE-2020-0646) and Internet Explorer (CVE-2020-0640).
The American spying agency wants everyone to know – to the point of holding a press conference about CVE-2020-0601 – that it privately found and reported the code-signing flaw to Microsoft, and that it's a cool and totally friendly mass-surveillance system that cares about your ongoing ability to verify the origin and integrity of executable files.
There's another advisory here from the CMU CERT Coordination Center.
Also not to be overlooked are the handful of remote-code-execution vulnerabilities in Office, programming screw-ups that can be exploited when the user opens a specially poisoned document file. Those include flaws in Excel (CVE-2020-0650, CVE-2020-0651, CVE-2020-0653) and one for Office in general (CVE-2020-0652.
Finally, this Patch Tuesday marks the last official mainstream release of security patches for Windows 7 and Server 2008, which drop out of support (plus or minus caveats).
Intel posts six advisories to start the year
There were half a dozen advisories released this month by Intel, including one for what Chipzilla considers a high-severity issue. That flaw, CVE-2019-14613, allows elevation of privilege by way of the VTune Amplifier for Windows software.
Intel also addressed an information disclosure flaw (CVE-2019-14615) in Processor Graphics, a denial of service bug (CVE-2019-14596) in Chipset Device Software INF Utility, and an elevation of privilege bug (CVE-2019-14601) in RAID Web Console 3 for Windows.
Admins will want to get in the habit of testing and installing all of the monthly Intel patches alongside those from Microsoft and other vendors.
VMware warns of EoP bug
While you're patching Windows, it would be wise to get the latest update for VMware Tools. That fix cleans up CVE-2020-3941, a race condition flaw that would potentially allow a users to escalate their privileges within a Windows VM.
While not as serious as a full hypervisor escape bug, the flaw is worth patching. Alternatively, updating to VMware Tools 11.0.0 or later will also fix the bug.
Adobe starts off slow with just two January patches
This was a relatively light Patch Tuesday for Adobe, who posted a pair of updates to address a total of nine CVE-listed bugs.
Of those, five were found in Adobe Illustrator CC for Windows. Each are memory corruption vulnerabilities that, if exploited, allow for arbitrary code execution. FortiGuard Labs researcher Honggang Ren was credited for all five discoveries.
The second patch was issued for Adobe Experience Manager. It cleans up four flaws, each allowing for information disclosure. Two of the bugs were credited to Lorenzo Pirondini, a front-end software engineer at Adobe specialists Netcentric.
SAP posts seven patches
This month saw SAP release six bug fixes and one update to an earlier notice.
Of those seven bulletins, the most serious concerns CVE-2020-6305, a cross-site scripting vulnerability in the Rest Adaptor for SAP Process Integration.
Other patches include a denial of service flaw in NetWeaver Internet Communication Manager (CVE-2020-6304), and a missing authorization check in Realtech RTCISM 100. ®
Sponsored:
M3 - The ML, AL and Analytics Conference from DigitalMunition
Gloss