Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More
Happy 2020! Microsoft is helping you celebrate the new decade with patches for 49 CVEs. Of those CVEs, eight are rated as "Critical," and 41 are rated as "Important." Among the "Critical" CVEs are four Remote Code Execution (RCE) vulnerabilities in the .NET Framework, and three RCE vulnerabilities in Remote Desktop (two for the client and one for the gateway). Ever since BlueKeep, RDP has been getting a monthly going through with a fine-toothed comb and a magnifying glass.
The list of vulnerabilities rated as "Important" are multiple RCE vulnerabilities for the Office Suite and several Privilege Escalation vulnerabilities in various Windows components. Notable in that list is a Spoofing vulnerability in the Windows CryptoAPI (CVE-2020-0601). This could allow an attacker to spoof a valid encryption key and potentially hijack encrypted connections via a practically undetectable man-in-the-middle attack or pretend to be a website that uses encryption like a banking or e-commerce website. An attacker could use a spoofed certificate to sign software as “official and trusted” which could grease the rails for attackers to place malware on systems with more ease.
Specifically, the vulnerability is in how Windows handles and validates Public encryption keys using specific ECC (Elliptic Curve Cryptography) algorithms. An ECC key has two parts to it; the actual bytes that define the encryption key itself and then metadata in the form of ECC parameters. When Windows validates these keys, it only does so by checking the key bytes and not the parameters. This would allow an attacker to generate a false key that would be validated as long as the key bytes match (even if the parameters do not). This vulnerability was introduced in Windows 10 since, prior to that, Windows didn't support ECC parameters.
Finally, today also marks the official "End of Life" for Windows 7 and Windows Server 2008. These Operating Systems have been around for a decade, and end of mainstream support occurred back in 2015. Given that much notice, we hope that organizations still using these operating systems have a plan in place to upgrade those systems if they haven't gotten rid of them already.
The End of Life means that Microsoft will no longer provide security updates like the ones listed below. This will increase the risk assumed by those organizations that continue to run Windows 7 or 2008 and we expect attackers will begin actively looking for those operating systems as a "soft spot" for a compromise. For instance, shortly after Windows XP went into End of Life, we saw widespread exploitation with the WannaCry campaign. While Microsoft did eventually release security fixes for XP, there's no assurance that the same would occur with Windows 7 if there were a similar campaign today. With the concerns around last year's potentially "wormable" BlueKeep (CVE-2019-0708) and new vulnerabilities discovered every month, this is not a time to let your systems go without security patches.
Users still running Windows 7 should upgrade to Windows 10, and servers still running Windows 2008 should be upgraded to at least Windows 2012, or you might want to consider replacing your local servers with cloud services.
Luckily none of the vulnerabilities patched today have any known exploit available (yet), so let's start the new decade off right and get to patching. Stay safe out there!
Critical
.NET Framework Remote Code Execution Vulnerability
CVE-2020-0646, CVE-2020-0605, CVE-2020-0606
Remote Code Execution
ASP.NET Core Remote Code Execution Vulnerability
CVE-2020-0603
Remote Code Execution
Internet Explorer Memory Corruption Vulnerability
CVE-2020-0640
Remote Code Execution
Remote Desktop Client Remote Code Execution Vulnerability
CVE-2020-0611
Remote Code Execution
Windows RDP Gateway Server Remote Code Execution Vulnerability
CVE-2020-0609, CVE-2020-0610
Remote Code Execution
Important
ASP.NET Core Denial of Service Vulnerability
CVE-2020-0602
Denial of Service
Hyper-V Denial of Service Vulnerability
CVE-2020-0617
Denial of Service
Microsoft Cryptographic Services Elevation of Privilege Vulnerability
CVE-2020-0620
Elevation of Privilege
Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
CVE-2020-0656
Spoofing
Microsoft Excel Remote Code Execution Vulnerability
CVE-2020-0650, CVE-2020-0651, CVE-2020-0653
Remote Code Execution
Microsoft Graphics Component Information Disclosure Vulnerability
CVE-2020-0622, CVE-2020-0607
Information Disclosure
Microsoft Office Memory Corruption Vulnerability
CVE-2020-0652
Remote Code Execution
Microsoft Office Online Spoofing Vulnerability
CVE-2020-0647
Spoofing
Microsoft OneDrive for Android Security Feature Bypass Vulnerability
CVE-2020-0654
Security Feature Bypass
Microsoft Windows Denial of Service Vulnerability
CVE-2020-0616
Denial of Service
Microsoft Windows Elevation of Privilege Vulnerability
CVE-2020-0641
Elevation of Privilege
Remote Desktop Web Access Information Disclosure Vulnerability
CVE-2020-0637
Information Disclosure
Update Notification Manager Elevation of Privilege Vulnerability
CVE-2020-0638
Elevation of Privilege
Win32k Elevation of Privilege Vulnerability
CVE-2020-0624, CVE-2020-0642
Elevation of Privilege
Win32k Information Disclosure Vulnerability
CVE-2020-0608
Information Disclosure
Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2020-0634
Elevation of Privilege
Windows Common Log File System Driver Information Disclosure Vulnerability
CVE-2020-0615, CVE-2020-0639
Information Disclosure
Windows CryptoAPI Spoofing Vulnerability
CVE-2020-0601
Spoofing
Windows Elevation of Privilege Vulnerability
CVE-2020-0635, CVE-2020-0644
Elevation of Privilege
Windows GDI+ Information Disclosure Vulnerability
CVE-2020-0643
Information Disclosure
Windows Remote Desktop Protocol (RDP) Gateway Server Denial of Service Vulnerability
CVE-2020-0612
Denial of Service
Windows Search Indexer Elevation of Privilege Vulnerability
CVE-2020-0613, CVE-2020-0614, CVE-2020-0623, CVE-2020-0625, CVE-2020-0626, CVE-2020-0627, CVE-2020-0628, CVE-2020-0629, CVE-2020-0630, CVE-2020-0631, CVE-2020-0632, CVE-2020-0633
Elevation of Privilege
Windows Security Feature Bypass Vulnerability
CVE-2020-0621
Security Feature Bypass
Windows Subsystem for Linux Elevation of Privilege Vulnerability
CVE-2020-0636
Elevation of Privilege
Karl Sigler is Security Research Manager, SpiderLabs Threat Intelligence at Trustwave. Karl is a 20- year infosec veteran responsible for research and analysis of current vulnerabilities, malware and threat trends at Trustwave. Follow Karl on LinkedIn.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.