The January 2020 Security Update Review

January 14, 2020 | Dustin Childs

Welcome to the new year, and welcome to the first Patch Tuesday of 2020. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for January 2020

Adobe begins the year with only two patches addressing a total of nine CVEs. The update for Illustrator CC fixes five Critical-rated CVEs. All of these bugs could allow code execution if a user opened a specially crafted file. The update for Experience Manager fixes three Important and one Moderate-rated information disclosure bugs. None of these vulnerabilities are listed as publicly known or under active attack at the time of release.

Citrix Patches for January 2020

We don’t normally discuss Citrix patches on this blog, but a recent bug (CVE-2019-19781) has been described as “one of the most dangerous bugs disclosed in recent years,” and a proof-of-concept exploit has been made public. What’s worse is that patches are not available yet but are scheduled for later this month. If you use Citrix, you should follow the mitigations posted here and look to apply patches as soon as they become available.

Microsoft Patches for January 2020

Before we get into this month’s patches, I briefly wanted to remind everyone that support for Windows 7 ends today. While Microsoft won’t necessarily be producing new patches for the venerable OS, attackers will certainly continue to produce new exploits. You should definitely be working on your migration strategy to a supported platform.

For January, Microsoft released patches for 49 CVEs covering Microsoft Windows, Internet Explorer (IE), Office and Office Services and Web Apps, ASP.NET, .NET Core, .NET Framework, Modern Apps, and Microsoft Dynamics. Five of these CVEs were submitted through the ZDI program. Of these 49 CVEs, eight are listed as Critical and 41 are listed as Important in severity. According to Microsoft, none of these are publicly known or under active attack at the time of release. However, there have been some reports of an IE bug being actively exploited. It does not appear that bug is addressed by any of these patches.

Let’s take a closer look at some of the more interesting updates for this month, starting with a crypto-related bug that has the rumor mill swirling:

-       CVE-2020-0601 – Windows CryptoAPI Spoofing Vulnerability
While only listed as Important in severity, this spoofing bug could have a wide-reaching impact and should be on the top of everyone’s list. This vulnerability could allow an attacker to create a code-signing certificate to sign a malicious executable, making it appear as though the file was from a trusted, legitimate source. It’s not hard to imagine how attackers could employ this tactic. For example, ransomware or other spyware is much easier to install when it appears to have a valid certificate. The patch also creates a new entry in the Windows event logs if someone attempts to use a forged certificate against a patched (and rebooted) system. This is significant and will help admins determine if they have been targeted. In the write-up, Microsoft credits the National Security Agency (NSA) for reporting this bug, which should heighten the sense of urgency in getting this patch tested and deployed.

-       CVE-2020-0609 – Windows RDP Gateway Server Remote Code Execution Vulnerability
I could just as easily listed CVE-2020-0610 here, as the write up from Microsoft is identical for both bugs. An attacker who exploited either of these bugs could get code execution on affected RDP Gateway Servers. This code execution occurs at the level of the server and is pre-auth and without user interaction. That means these bugs are wormable – at least between RDP Gateway Servers. While not as widespread as systems affected by Bluekeep, it certainly presents an attractive target for attackers.

-       CVE-2020-0611 – Remote Desktop Client Remote Code Execution Vulnerability
While not quite as severe as the previously mentioned RDP bugs, this client-side vulnerability deserves some attention. An attacker could take over an affected system if they can convince a user to connect to a malicious RDP server. Because of that requirement, this may not seem as critical. However, combine this client-side bug with two server-side bugs released in this same month, and an entire exploit chain becomes clear.  

Here’s the full list of CVEs released by Microsoft for January 2020:

CVE Title Severity Public Exploited XI - Latest XI - Older Type
CVE-2020-0603 ASP.NET Core Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-0605 .NET Framework Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-0606 .NET Framework Remote Code Execution Injection Vulnerability Critical No No 2 2 RCE
CVE-2020-0609 Windows RDP Gateway Server Remote Code Execution Vulnerability Critical No No N/A 1 RCE
CVE-2020-0610 Windows RDP Gateway Server Remote Code Execution Vulnerability Critical No No N/A 1 RCE
CVE-2020-0611 Remote Desktop Client Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-0640 Internet Explorer Memory Corruption Vulnerability Critical No No 2 2 RCE
CVE-2020-0646 .NET Framework Remote Code Execution Injection Vulnerability Critical No No 2 2 RCE
CVE-2020-0601 Windows CryptoAPI Spoofing Vulnerability Important No No 1 1 Spoof
CVE-2020-0602 ASP.NET Core Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2020-0607 Microsoft Graphics Components Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0608 Win32k Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0612 Windows Remote Desktop Protocol (RDP) Gateway Server Denial of Service Vulnerability Important No No N/A 2 DoS
CVE-2020-0613 Windows Search Indexer Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0614 Windows Search Indexer Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0615 Windows Common Log File System Driver Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0616 Microsoft Windows Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2020-0617 Hyper-V Denial of Service Vulnerability Important No No N/A 2 DoS
CVE-2020-0620 Microsoft Cryptographic Services Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0621 Windows Security Feature Bypass Vulnerability Important No No N/A 2 SFB
CVE-2020-0622 Microsoft Graphics Component Information Disclosure Vulnerability Important No No N/A 2 Info
CVE-2020-0623 Windows Search Indexer Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0624 Win32k Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0625 Windows Search Indexer Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0626 Windows Search Indexer Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0627 Windows Search Indexer Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0628 Windows Search Indexer Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0629 Windows Search Indexer Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0630 Windows Search Indexer Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0631 Windows Search Indexer Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0632 Windows Search Indexer Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0633 Windows Search Indexer Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0634 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2020-0635 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0636 Windows Subsystem for Linux Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0637 Remote Desktop Web Access Information Disclosure Vulnerability Important No No N/A 2 Info
CVE-2020-0638 Update Notification Manager Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0639 Windows Common Log File System Driver Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0641 Microsoft Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0642 Win32k Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0643 Windows GDI+ Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0644 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0647 Microsoft Office Online Spoofing Vulnerability Important No No 2 N/A Spoof
CVE-2020-0650 Microsoft Excel Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-0651 Microsoft Excel Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-0652 Microsoft Office Memory Corruption Vulnerability Important No No 2 2 RCE
CVE-2020-0653 Microsoft Excel Remote Code Execution Vulnerability Important No No N/A 2 RCE
CVE-2020-0654 Microsoft OneDrive for Android Security Feature Bypass Vulnerability Important No No 2 2 SFB
CVE-2020-0656 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability Important No No 2 2 XSS

Of the remaining Critical-rated patches, one is for IE, but again, this is not listed as publicly known or under active attack. There are also three Critical patches for .NET Framework and one for ASP.NET. Most of these require a user open a specially crafted file on an affected system. However, in CVE-2020-0646, an attacker could pass specific input to an application utilizing susceptible .NET methods to gain code execution. The code execution would occur at the level of the logged-on user, which brings us to another time to remind you not to log on with admin privileges to do your day-to-day work.

Looking at the Important-rated updates, the 12 updates for the Windows Search Indexer immediately stand out. The write-ups for these dozen bugs are all identical, and they were all reported by the same researcher. All list improper handling of objects in memory as a cause. In each case, a local user could run a specially crafted application to escalate privileges. In all, 21 January patches relate to a local privilege escalation in some form. Affected components include the Windows Subsystem for Linux, the Update Notification Manager, the Windows Kernel, and Microsoft Cryptographic Services.

There are two security feature bypass bugs this month, and both deserve mention. The first involves password creation, and it sounds like some creativity would be needed to exploit it as well. An attacker could create a password filter when creating a new password, which would result in a password that should have been blocked. I would love to hear the story of how the researchers discovered this scenario. The other bypass is for the OneDrive for Android app could allow an attacker to bypass the passcode or fingerprint requirements of the application. For this bug, you’ll need to download the update through the Google Play store.

There are a few RCE bugs fixed in Excel and Office. None of these bugs involve the Preview Pane and all require user interaction. There are also a handful of information disclosure bugs addressed in various Windows components. There are four Denial-of-Service (DoS) bugs fixed this month. A problem with hard links could make an affected Windows server unresponsive. RDP Gateway Servers also get a patch to fix a vulnerability that would allow a remote attacker to shut down an RDP Gateway Server. There’s also patches to address DoS bugs in Hyper-V and ASP.NET Core.

Wrapping up this release, there’s a spoofing bug in Office that could allow for cross-origin attacks on affected systems. The final patch from Microsoft for January fixes a cross-site scripting (XSS) bug in Microsoft Dynamics 365 (On-Premise).

No security advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on February 11, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!