Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More
April's Patch Tuesday is here and Microsoft is patching 113 CVEs this month. Eighteen of these are rated "Critical", 94 rated as "Important", and one rated "Moderate". The highest-profile vulnerability patched today is in the Adobe and OpenType font drivers (CVE-2020-1020 and CVE-2020-0938 respectively). These vulnerabilities were detected after being exploited as a part of a limited zero-day campaign. Among the other "Critical" vulnerabilities are Remote Code Execution (RCE) vulnerabilities in SharePoint, Dynamics, and Hyper-V.
SharePoint and Hyper-V also pop up on the list of vulnerabilities on the list rated "Important". There are also over a dozen privilege escalation vulnerabilities in the Windows kernel and various operating system components. A rarity for Patch Tuesday are patches for Apple Mac based vulnerabilities but two separate privilege escalation vulnerabilities are patched today for the Microsoft Remote Desktop (CVE-2020-0919) and RMS Sharing Apps (CVE-2020-1019) for Mac.
Make sure you wash your hands before and after patching and stay safe!
Critical
Adobe Font Manager Library Remote Code Execution Vulnerability
CVE-2020-1020
Remote Code Execution
Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2020-0969
Remote Code Execution
Dynamics Business Central Remote Code Execution Vulnerability
CVE-2020-1022
Remote Code Execution
Media Foundation Memory Corruption Vulnerability
CVE-2020-0948, CVE-2020-0949, CVE-2020-0950
Remote Code Execution
Microsoft Graphics Components Remote Code Execution Vulnerability
CVE-2020-0907, CVE-2020-0687
Remote Code Execution
Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2020-0929, CVE-2020-0931, CVE-2020-0932, CVE-2020-0974
Information Disclosure
Microsoft Windows Codecs Library Remote Code Execution Vulnerability
CVE-2020-0965
Remote Code Execution
OpenType Font Parsing Remote Code Execution Vulnerability
CVE-2020-0938
Remote Code Execution
Scripting Engine Memory Corruption Vulnerability
CVE-2020-0968, CVE-2020-0970
Remote Code Execution
VBScript Remote Code Execution Vulnerability
CVE-2020-0967
Remote Code Execution
Windows Hyper-V Remote Code Execution Vulnerability
CVE-2020-0910
Remote Code Execution
Important
Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
CVE-2020-0942, CVE-2020-0944, CVE-2020-1029
Elevation of Privilege
DirectX Elevation of Privilege Vulnerability
CVE-2020-0784, CVE-2020-0888
Elevation of Privilege
GDI+ Remote Code Execution Vulnerability
CVE-2020-0964
Remote Code Execution
Jet Database Engine Remote Code Execution Vulnerability
CVE-2020-0889, CVE-2020-0953, CVE-2020-0959, CVE-2020-0960, CVE-2020-0988, CVE-2020-0992, CVE-2020-0994, CVE-2020-0995, CVE-2020-0999, CVE-2020-1008
Remote Code Execution
Media Foundation Information Disclosure Vulnerability
CVE-2020-0937, CVE-2020-0939, CVE-2020-0945, CVE-2020-0946, CVE-2020-0947
Information Disclosure
Microsoft (MAU) Office Elevation of Privilege Vulnerability
CVE-2020-0984
Elevation of Privilege
Microsoft Defender Elevation of Privilege Vulnerability
CVE-2020-1002
Elevation of Privilege
Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
CVE-2020-1049, CVE-2020-1050
Spoofing
Microsoft Dynamics Business Central/NAV Information Disclosure
CVE-2020-1018
Information Disclosure
Microsoft Excel Remote Code Execution Vulnerability
CVE-2020-0906, CVE-2020-0979
Remote Code Execution
Microsoft Graphics Component Information Disclosure Vulnerability
CVE-2020-0982, CVE-2020-0987, CVE-2020-1005
Information Disclosure
Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
CVE-2020-0961
Remote Code Execution
Microsoft Office Remote Code Execution Vulnerability
CVE-2020-0760, CVE-2020-0991
Remote Code Execution
Microsoft Office SharePoint XSS Vulnerability
CVE-2020-0923, CVE-2020-0924, CVE-2020-0925, CVE-2020-0926, CVE-2020-0927, CVE-2020-0930, CVE-2020-0933, CVE-2020-0973, CVE-2020-0978
Spoofing
Microsoft Remote Desktop App for Mac Elevation of Privilege Vulnerability
CVE-2020-0919
Elevation of Privilege
Microsoft RMS Sharing App for Mac Elevation of Privilege Vulnerability
CVE-2020-1019
Security Feature Bypass
Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2020-0920, CVE-2020-0971
Remote Code Execution
Microsoft SharePoint Spoofing Vulnerability
CVE-2020-0972, CVE-2020-0975, CVE-2020-0976, CVE-2020-0977
Spoofing
Microsoft Visual Studio Elevation of Privilege Vulnerability
CVE-2020-0899
Elevation of Privilege
Microsoft Windows Update Client Elevation of Privilege Vulnerability
CVE-2020-1014
Elevation of Privilege
Microsoft Word Remote Code Execution Vulnerability
CVE-2020-0980
Remote Code Execution
Microsoft YourPhone Application for Android Authentication Bypass Vulnerability
CVE-2020-0943
Security Feature Bypass
MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability
CVE-2020-1026
Information Disclosure
OneDrive for Windows Elevation of Privilege Vulnerability
CVE-2020-0935
Elevation of Privilege
VBScript Remote Code Execution Vulnerability
CVE-2020-0966
Remote Code Execution
Visual Studio Extension Installer Service Elevation of Privilege Vulnerability
CVE-2020-0900
Elevation of Privilege
Win32k Elevation of Privilege Vulnerability
CVE-2020-0956, CVE-2020-0957, CVE-2020-0958
Elevation of Privilege
Win32k Information Disclosure Vulnerability
CVE-2020-0699, CVE-2020-0962
Information Disclosure
Windows Defender Antimalware Platform Hard Link Elevation of Privilege Vulnerability
CVE-2020-0835
Elevation of Privilege
Windows Denial of Service Vulnerability
CVE-2020-0794
Denial of Service
Windows DNS Denial of Service Vulnerability
CVE-2020-0993
Denial of Service
Windows Elevation of Privilege Vulnerability
CVE-2020-0934, CVE-2020-0983, CVE-2020-1009, CVE-2020-1011, CVE-2020-1015
Elevation of Privilege
Windows GDI Information Disclosure Vulnerability
CVE-2020-0952
Information Disclosure
Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2020-1004
Elevation of Privilege
Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2020-0917, CVE-2020-0918
Elevation of Privilege
Windows Kernel Elevation of Privilege Vulnerability
CVE-2020-0913, CVE-2020-1000, CVE-2020-1003, CVE-2020-1027
Elevation of Privilege
Windows Kernel Information Disclosure in CPU Memory Access
CVE-2020-0955
Information Disclosure
Windows Kernel Information Disclosure Vulnerability
CVE-2020-0821, CVE-2020-1007
Information Disclosure
Windows Push Notification Service Elevation of Privilege Vulnerability
CVE-2020-0940, CVE-2020-1001, CVE-2020-1006, CVE-2020-1017, CVE-2020-1016
Information Disclosure
Windows Scheduled Task Elevation of Privilege Vulnerability
CVE-2020-0936
Elevation of Privilege
Windows Token Security Feature Bypass Vulnerability
CVE-2020-0981
Security Feature Bypass
Windows Update Stack Elevation of Privilege Vulnerability
CVE-2020-0985, CVE-2020-0996
Elevation of Privilege
Windows VBScript Engine Remote Code Execution Vulnerability
CVE-2020-0895
Remote Code Execution
Windows Work Folder Service Elevation of Privilege Vulnerability
CVE-2020-1094
Elevation of Privilege
Moderate
Microsoft Office SharePoint XSS Vulnerability
CVE-2020-0954
Spoofing
Karl Sigler is Security Research Manager, SpiderLabs Threat Intelligence at Trustwave. Karl is a 20- year infosec veteran responsible for research and analysis of current vulnerabilities, malware and threat trends at Trustwave. Follow Karl on LinkedIn.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.