Exploits & Vulnerabilities
January Patch Tuesday: IE, RDP, Crypto Bugs Updates
Microsoft released 49 patches in this cycle, eight of which are classifed Critical and the remaining 41 as Important. The fixes address a range of products, including RDP Gateway servers, Internet Explorer, CryptoAPI, Office, and OneDrive.
2020 starts off with a relatively heavy list of patches for Microsoft users. January is typically a light month for fixes, but Microsoft released patches for 49 vulnerabilities (eight of which are Critical and all the remaining classified as Important) in this cycle. None of these vulnerabilities are known to be under attack at this time.
The listed vulnerabilities covered a range of Microsoft products including Windows RDP Gateway servers, Internet Explorer, ASP.NET, CryptoAPI, .NET Framework, Hyper-V, Office, Excel, and OneDrive.
This is also the month that Microsoft stops its extended support of Windows 7, meaning users with this operating system will not be receiving any further software updates or security bulletins. This will leave Windows 7 users vulnerable to future security risks and malware.
Here is a more detailed look at the vulnerabilities covered in January:
Remote Desktop Code Execution/Denial-of-Service Vulnerabilities
CVE-2020-0609 and CVE-2020-0610 are both Critical RCE vulnerabilities in the RDP Gateway Server. If successfully abused, an attacker can execute arbitrary code on the affected RDP server. CVE-2020-0611 is an RCE vulnerability that exists in the Windows Remote Desktop Client, typically utilized when a user connects to a malicious server. Successfully exploiting this vulnerability could allow an attacker to execute arbitrary code on the target’s device.
Meanwhile, CVE-2020-0612 is a denial-of-service vulnerability that also affects Windows RDP Gateway servers. An attacker can connect to a vulnerable target server using RDP and send specially crafted requests. If successfully executed, this could cause the RDP service on the target system to stop responding.
Internet Explorer Memory Corruption Vulnerability
CVE-2020-0640 is another Critical RCE vulnerability, this time in Internet Explorer. The flaw allows improper access to objects in memory. An attacker can use this flaw to run code as the current user; therefore if the targeted victim is logged on with administrative user rights, then the attacker can leverage this to gain control of the system.
Windows CryptoAPI Spoofing Vulnerability
The Windows CryptoAPI library provides cryptographic functionality both to Windows itself and applications. CVE-2020-0601 is a flaw in this library that, in certain situations, could lead to an attacker being able to bypass the authentication process, allowing for malicious objects (network connections, files, emails, and executables) to appear to have been signed by a legitimate party. It was discovered and disclosed to Microsoft by the National Security Agency (NSA), and the organization has published a more detailed report on the vulnerability as well.
The flaw lies in how Windows authenticates certificates with certain elliptic curves. It is only present in Windows 10 and Windows Server 2016/2019. We have also created a Vulnerability Assessment Tool that will inform users if their system is at risk from this vulnerability.
ASP.NET Core Denial of Service Vulnerability
CVE-2020-0602 is a vulnerability in ASP.NET Core, a free and open-source web framework. The bug could lead to denial of service attacks due to how specially crafted requests are handled.
Apart from the specific vulnerabilities listed above, there were also multiple issues with Windows Search Indexer that could lead to elevation of privilege for a malicious actor — 12 different vulnerabilities were patched, all of them classified Important.
Trend Micro solutions
To address the security issues brought about by the conclusion of support from manufacturers, solutions like Trend Micro™ Deep Security™ deliver leading automated protection to secure applications and workloads across new and end of support systems. Deep Security’s virtual patching automatically shields systems from new threats and vulnerabilities, minimizing disruptions and ensuring your critical applications and sensitive enterprise data stay protected.
Users with affected installations are advised to prioritize the updates in order to avoid possible system exploitation through unpatched vulnerabilities. The Trend Micro™ Deep Security™ and Vulnerability Protection solutions also protect systems and users from threats targeting the vulnerabilities included in this month’s Patch Tuesday, updating or creating rules to address applicable vulnerabilities found. The following rules have been released to cover the appropriate vulnerabilities:
- 1010124-Microsoft SharePoint Information Disclosure Vulnerability (CVE-2019-1443)
- 1010125-Microsoft Windows RDP Gateway Server Remote Code Execution Vulnerabilities (CVE-2020-0609 and CVE-2020-0610)
- 1010127-Microsoft Office Stack-Based Buffer Overflow Remote Code Execution Vulnerability (CVE-2020-0652)
- 1010130-Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)
- 1010132-Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601) - 1
- 33692: HTTP: Microsoft SharePoint EntityInstanceIdEncoder Insecure Deserialization Vuln (ZDI-19-181)
- 36696: HTTP: Microsoft Office Graph Buffer Overflow Vulnerability
- 36882: UDP: Microsoft Remote Desktop Gateway Code Execution Vulnerability
- 36883: UDP: Microsoft Remote Desktop Gateway Out-of-Bounds Write Vulnerability
- 36918: HTTP: Microsoft SharePoint Information Disclosure Vulnerability
- 36956: HTTP: Microsoft Windows CryptoAPI Spoofing Vulnerability