SpiderLabs Blog

Patch Tuesday, April 2020

Written by Karl Sigler | Apr 14, 2020 10:23:00 AM

April's Patch Tuesday is here and Microsoft is patching 113 CVEs this month. Eighteen of these are rated "Critical", 94 rated as "Important", and one rated "Moderate". The highest-profile vulnerability patched today is in the Adobe and OpenType font drivers (CVE-2020-1020 and CVE-2020-0938 respectively). These vulnerabilities were detected after being exploited as a part of a limited zero-day campaign. Among the other "Critical" vulnerabilities are Remote Code Execution (RCE) vulnerabilities in SharePoint, Dynamics, and Hyper-V.

SharePoint and Hyper-V also pop up on the list of vulnerabilities on the list rated "Important". There are also over a dozen privilege escalation vulnerabilities in the Windows kernel and various operating system components. A rarity for Patch Tuesday are patches for Apple Mac based vulnerabilities but two separate privilege escalation vulnerabilities are patched today for the Microsoft Remote Desktop (CVE-2020-0919) and RMS Sharing Apps (CVE-2020-1019) for Mac.

Make sure you wash your hands before and after patching and stay safe!


Critical

Adobe Font Manager Library Remote Code Execution Vulnerability
CVE-2020-1020
Remote Code Execution

Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2020-0969
Remote Code Execution

Dynamics Business Central Remote Code Execution Vulnerability
CVE-2020-1022
Remote Code Execution

Media Foundation Memory Corruption Vulnerability
CVE-2020-0948, CVE-2020-0949, CVE-2020-0950
Remote Code Execution

Microsoft Graphics Components Remote Code Execution Vulnerability
CVE-2020-0907, CVE-2020-0687
Remote Code Execution

Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2020-0929, CVE-2020-0931, CVE-2020-0932, CVE-2020-0974
Information Disclosure

Microsoft Windows Codecs Library Remote Code Execution Vulnerability
CVE-2020-0965
Remote Code Execution

OpenType Font Parsing Remote Code Execution Vulnerability
CVE-2020-0938
Remote Code Execution

Scripting Engine Memory Corruption Vulnerability
CVE-2020-0968, CVE-2020-0970
Remote Code Execution

VBScript Remote Code Execution Vulnerability
CVE-2020-0967
Remote Code Execution

Windows Hyper-V Remote Code Execution Vulnerability
CVE-2020-0910
Remote Code Execution

 

Important

Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
CVE-2020-0942, CVE-2020-0944, CVE-2020-1029
Elevation of Privilege

DirectX Elevation of Privilege Vulnerability
CVE-2020-0784, CVE-2020-0888
Elevation of Privilege

GDI+ Remote Code Execution Vulnerability
CVE-2020-0964
Remote Code Execution

Jet Database Engine Remote Code Execution Vulnerability
CVE-2020-0889, CVE-2020-0953, CVE-2020-0959, CVE-2020-0960, CVE-2020-0988, CVE-2020-0992, CVE-2020-0994, CVE-2020-0995, CVE-2020-0999, CVE-2020-1008
Remote Code Execution

Media Foundation Information Disclosure Vulnerability
CVE-2020-0937, CVE-2020-0939, CVE-2020-0945, CVE-2020-0946, CVE-2020-0947
Information Disclosure

Microsoft (MAU) Office Elevation of Privilege Vulnerability
CVE-2020-0984
Elevation of Privilege

Microsoft Defender Elevation of Privilege Vulnerability
CVE-2020-1002
Elevation of Privilege

Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
CVE-2020-1049, CVE-2020-1050
Spoofing

Microsoft Dynamics Business Central/NAV Information Disclosure
CVE-2020-1018
Information Disclosure

Microsoft Excel Remote Code Execution Vulnerability
CVE-2020-0906, CVE-2020-0979
Remote Code Execution

Microsoft Graphics Component Information Disclosure Vulnerability
CVE-2020-0982, CVE-2020-0987, CVE-2020-1005
Information Disclosure

Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
CVE-2020-0961
Remote Code Execution

Microsoft Office Remote Code Execution Vulnerability
CVE-2020-0760, CVE-2020-0991
Remote Code Execution

Microsoft Office SharePoint XSS Vulnerability
CVE-2020-0923, CVE-2020-0924, CVE-2020-0925, CVE-2020-0926, CVE-2020-0927, CVE-2020-0930, CVE-2020-0933, CVE-2020-0973, CVE-2020-0978
Spoofing

Microsoft Remote Desktop App for Mac Elevation of Privilege Vulnerability
CVE-2020-0919
Elevation of Privilege

Microsoft RMS Sharing App for Mac Elevation of Privilege Vulnerability
CVE-2020-1019
Security Feature Bypass

Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2020-0920, CVE-2020-0971
Remote Code Execution

Microsoft SharePoint Spoofing Vulnerability
CVE-2020-0972, CVE-2020-0975, CVE-2020-0976, CVE-2020-0977
Spoofing

Microsoft Visual Studio Elevation of Privilege Vulnerability
CVE-2020-0899
Elevation of Privilege

Microsoft Windows Update Client Elevation of Privilege Vulnerability
CVE-2020-1014
Elevation of Privilege

Microsoft Word Remote Code Execution Vulnerability
CVE-2020-0980
Remote Code Execution

Microsoft YourPhone Application for Android Authentication Bypass Vulnerability
CVE-2020-0943
Security Feature Bypass

MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability
CVE-2020-1026
Information Disclosure

OneDrive for Windows Elevation of Privilege Vulnerability
CVE-2020-0935
Elevation of Privilege

VBScript Remote Code Execution Vulnerability
CVE-2020-0966
Remote Code Execution

Visual Studio Extension Installer Service Elevation of Privilege Vulnerability
CVE-2020-0900
Elevation of Privilege

Win32k Elevation of Privilege Vulnerability
CVE-2020-0956, CVE-2020-0957, CVE-2020-0958
Elevation of Privilege

Win32k Information Disclosure Vulnerability
CVE-2020-0699, CVE-2020-0962
Information Disclosure

Windows Defender Antimalware Platform Hard Link Elevation of Privilege Vulnerability
CVE-2020-0835
Elevation of Privilege

Windows Denial of Service Vulnerability
CVE-2020-0794
Denial of Service

Windows DNS Denial of Service Vulnerability
CVE-2020-0993
Denial of Service

Windows Elevation of Privilege Vulnerability
CVE-2020-0934, CVE-2020-0983, CVE-2020-1009, CVE-2020-1011, CVE-2020-1015
Elevation of Privilege

Windows GDI Information Disclosure Vulnerability
CVE-2020-0952
Information Disclosure

Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2020-1004
Elevation of Privilege

Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2020-0917, CVE-2020-0918
Elevation of Privilege

Windows Kernel Elevation of Privilege Vulnerability
CVE-2020-0913, CVE-2020-1000, CVE-2020-1003, CVE-2020-1027
Elevation of Privilege

Windows Kernel Information Disclosure in CPU Memory Access
CVE-2020-0955
Information Disclosure

Windows Kernel Information Disclosure Vulnerability
CVE-2020-0821, CVE-2020-1007
Information Disclosure

Windows Push Notification Service Elevation of Privilege Vulnerability
CVE-2020-0940, CVE-2020-1001, CVE-2020-1006, CVE-2020-1017, CVE-2020-1016
Information Disclosure

Windows Scheduled Task Elevation of Privilege Vulnerability
CVE-2020-0936
Elevation of Privilege

Windows Token Security Feature Bypass Vulnerability
CVE-2020-0981
Security Feature Bypass

Windows Update Stack Elevation of Privilege Vulnerability
CVE-2020-0985, CVE-2020-0996
Elevation of Privilege

Windows VBScript Engine Remote Code Execution Vulnerability
CVE-2020-0895
Remote Code Execution

Windows Work Folder Service Elevation of Privilege Vulnerability
CVE-2020-1094
Elevation of Privilege

 

Moderate

Microsoft Office SharePoint XSS Vulnerability
CVE-2020-0954
Spoofing