1. Cybersecurity >
  2. Hacker >
  3. The April 2020 Security Update Review

ArabicEnglishFrenchGermanGreekItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkishVietnamese

The April 2020 Security Update Review


Hacking vom | Direktlink: thezdi.com Nachrichten Bewertung

April is here, and it brings another cornucopia of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for April 2020

For April, Adobe released on three patches addressing five CVEs in Adobe ColdFusion, After Effects, and Digital Editions. All CVEs are rated Important and none are listed as being publicly known or under active attack at the time of release. The update for ColdFusion should be on the top of the deployment list as it includes a local privilege escalation (LPE) to go along with an info disclosure and denial-of-service bug. The update for After Effects, reported by ZDI researcher Mat Powell, corrects an info disclosure bug. The patch for Digital Editions also corrects a single information disclosure bug. Although there is no update for Flash this month, the window for the final Flash patches is closing as it goes out of support at the end of this year.

Microsoft Patches for April 2020

For April, Microsoft released patches for 113 CVEs covering Microsoft Windows, Microsoft Edge (EdgeHTML-based and Chromium-based), ChakraCore, Internet Explorer, Office and Office Services and Web Apps, Windows Defender, Visual Studio, Microsoft Dynamics, Microsoft Apps for Android, and Microsoft Apps for Mac. Of these 113 CVEs, 17 are rated Critical and 96 are rated Important in severity. Twelve of these CVEs were reported through the ZDI program. If you feel like there have been a lot of patches this year, you’re not wrong. Microsoft has seen a 44% increase in the number of CVEs patched between January to April of 2020 compared to the same time period in 2019. Both an increasing number of researchers looking for bugs and an expanding portfolio of supported products likely caused this increase. It will be interesting to see if this pace continues, especially considering Microsoft will pause optional Windows 10 updates starting next month.

Two of the bugs addressed this month are listed as being under active attack, and two are listed as being public at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with bugs under active attack.

-       CVE-2020-1020 – Adobe Font Manager Library Remote Code Execution Vulnerability
Initially disclosed back in late March, this bug is one of two reported to be targeting Windows 7 systems. Attackers can use this vulnerability to execute their code on affected systems if they can convince a user to view a specially crafted font. The code would run at the level of the logged-on user. Although the attacks specifically have targeted Windows 7 systems, not all Win7 systems will receive a patch since the OS left support in January of this year. Only those Windows 7 and Server 2008 customers with an ESU license will receive the patch.

-       CVE-2020-0938 – OpenType Font Parsing Remote Code Execution Vulnerability
This bug is associated with the previous vulnerability, although it impacts a different font renderer. It too is listed as being under active attack. Again, an attacker could execute their code on a target system if a user viewed a specially crafted font. We should also note Windows 10 systems are less impacted by these bugs since the code execution would occur in an AppContainer sandbox. Win7 users will also need an ESU license for this patch.

-       CVE-2020-0993 – Windows DNS Denial of Service VulnerabilityThis patch addresses a Denial-of-Service (DoS) bug in the Windows DNS service. Note that’s the DNS service and not the DNS Server, so client systems are also affected by this vulnerability. An attacker could cause the DNS service to be nonresponsive by sending some specially crafted DNS queries to an affected system. Since there is no code execution involved, the only gets rated as Important. However, considering the damage that could be done by an unauthenticated attacker, this should be high on your test and deploy list.

-       CVE-2020-0981 – Windows Token Security Feature Bypass Vulnerability
It’s not often you see a security feature bypass directly result in a sandbox escape, but that’s exactly what this bug allows. The vulnerability results from Windows improperly handling token relationships. Attackers could abuse this to allow an application with a certain integrity level to execute code at a different – presumably higher – integrity level. The result is a sandbox escape. This only affects Windows 10 version 1903 and higher, so the code is a relatively recent addition.

Here’s the full list of CVEs released by Microsoft for April 2020.

CVE Title Severity Public Exploited XI - Latest XI - Older Type
CVE-2020-1020 Adobe Font Manager Library Remote Code Execution Vulnerability Important Yes Yes 2 0 RCE
CVE-2020-0938 OpenType Font Parsing Remote Code Execution Vulnerability Important No Yes 2 0 RCE
CVE-2020-0935 OneDrive for Windows Elevation of Privilege Vulnerability Important Yes No 2 N/A EoP
CVE-2020-0969 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2020-1022 Dynamics Business Central Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-0948 Media Foundation Memory Corruption Vulnerability Critical No No 2 2 RCE
CVE-2020-0949 Media Foundation Memory Corruption Vulnerability Critical No No 2 2 RCE
CVE-2020-0950 Media Foundation Memory Corruption Vulnerability Critical No No 2 2 RCE
CVE-2020-0907 Microsoft Graphics Components Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-0687 Microsoft Graphics Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-0927 Microsoft Office SharePoint XSS Vulnerability Critical No No 2 2 XSS
CVE-2020-0929 Microsoft SharePoint Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-0931 Microsoft SharePoint Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-0932 Microsoft SharePoint Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-0974 Microsoft SharePoint Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-0965 Microsoft Windows Codecs Library Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-0968 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2020-0970 Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2020-0967 VBScript Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-0910 Windows Hyper-V Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-0942 Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0944 Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1029 Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0784 DirectX Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2020-0888 DirectX Elevation of Privilege Vulnerability Important No No 2 1 EoP
CVE-2020-0964 GDI+ Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-0889 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-0953 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-0959 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-0960 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-0988 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-0992 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-0994 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-0995 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-0999 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1008 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-0937 Media Foundation Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0939 Media Foundation Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0945 Media Foundation Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0946 Media Foundation Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0947 Media Foundation Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0984 Microsoft (MAU) Office Elevation of Privilege Vulnerability Important No No 2 N/A EoP
CVE-2020-1002 Microsoft Defender Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1049 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability Important No No 2 2 XSS
CVE-2020-1050 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability Important No No 2 2 XSS
CVE-2020-1018 Microsoft Dynamics Business Central/NAV Information Disclosure Important No No 2 2 Info
CVE-2020-0906 Microsoft Excel Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-0979 Microsoft Excel Remote Code Execution Vulnerability Important No No N/A 2 RCE
CVE-2020-0982 Microsoft Graphics Component Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0987 Microsoft Graphics Component Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1005 Microsoft Graphics Component Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0961 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-0760 Microsoft Office Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-0991 Microsoft Office Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-0923 Microsoft Office SharePoint XSS Vulnerability Important No No 2 2 XSS
CVE-2020-0924 Microsoft Office SharePoint XSS Vulnerability Important No No 2 2 XSS
CVE-2020-0925 Microsoft Office SharePoint XSS Vulnerability Important No No 2 2 XSS
CVE-2020-0926 Microsoft Office SharePoint XSS Vulnerability Important No No 2 2 XSS
CVE-2020-0930 Microsoft Office SharePoint XSS Vulnerability Important No No 2 2 XSS
CVE-2020-0933 Microsoft Office SharePoint XSS Vulnerability Important No No 2 2 XSS
CVE-2020-0954 Microsoft Office SharePoint XSS Vulnerability Important No No 2 2 XSS
CVE-2020-0973 Microsoft Office SharePoint XSS Vulnerability Important No No 2 2 XSS
CVE-2020-0978 Microsoft Office SharePoint XSS Vulnerability Important No No 2 2 XSS
CVE-2020-0919 Microsoft Remote Desktop App for Mac Elevation of Privilege Vulnerability Important No No 2 N/A EoP
CVE-2020-1019 Microsoft RMS Sharing App for Mac Elevation of Privilege Vulnerability Important No No 2 N/A EoP
CVE-2020-0920 Microsoft SharePoint Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-0971 Microsoft SharePoint Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-0972 Microsoft SharePoint Spoofing Vulnerability Important No No 2 2 Spoof
CVE-2020-0975 Microsoft SharePoint Spoofing Vulnerability Important No No 2 2 Spoof
CVE-2020-0976 Microsoft SharePoint Spoofing Vulnerability Important No No N/A 2 Spoof
CVE-2020-0977 Microsoft SharePoint Spoofing Vulnerability Important No No 2 2 Spoof
CVE-2020-0899 Microsoft Visual Studio Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1014 Microsoft Windows Update Client Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0980 Microsoft Word Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-0943 Microsoft YourPhone Application for Android Authentication Bypass Vulnerability Important No No 2 N/A EoP
CVE-2020-1026 MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability Important No No 2 N/A SFB
CVE-2020-0966 VBScript Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-0900 Visual Studio Extension Installer Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0956 Win32k Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2020-0957 Win32k Elevation of Privilege Vulnerability Important No No N/A 1 EoP
CVE-2020-0958 Win32k Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2020-0699 Win32k Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0962 Win32k Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0835 Windows Defender Antimalware Platform Hard Link Elevation of Privilege Vulnerability Important No No 2 N/A EoP
CVE-2020-0794 Windows Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2020-0993 Windows DNS Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2020-0934 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0983 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1009 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1011 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1015 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0952 Windows GDI Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1004 Windows Graphics Component Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2020-0917 Windows Hyper-V Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0918 Windows Hyper-V Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-0913 Windows Kernel Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1000 Windows Kernel Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1003 Windows Kernel Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1027 Externe Quelle mit kompletten Inhalt anzeigen
Zur Startseite von Team IT Security

➤ Weitere Beiträge von Team Security | IT Sicherheit

The April 2020 Security Update Review

vom 402.88 Punkte ic_school_black_18dp
April is here, and it brings another cornucopia of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.Adobe Patches for April 2020For April, Ad

CentOS Blog: CentOS Pulse Newsletter, May 2019 (#1905)

vom 396.4 Punkte ic_school_black_18dp
Dear CentOS enthusiast, Another month into 2019, and we have a lot to tell you about. Releases and updates SIG updates Events Contributing to the newsletter #CentOS15 Yes, we've mentioned this before, but we're still pretty stoked about it. On the 1

The March 2020 Security Update Review

vom 374.6 Punkte ic_school_black_18dp
March is upon us, and it brings a bumper crop of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.Adobe Patches for March 2020Oddly, Adobe

The July 2020 Security Update Review

vom 374.22 Punkte ic_school_black_18dp
July is upon us, and it brings another huge batch of security patches from Microsoft, and a few from Adobe as well. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.Adobe Patches for

The June 2020 Security Update Review

vom 372.67 Punkte ic_school_black_18dp
June is here, and it brings with it a record number of security patches from Microsoft, and a few from Adobe as well. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.Adobe

The September 2020 Security Update Review

vom 370.51 Punkte ic_school_black_18dp
September is upon us and so are the latest security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.Adobe Patches for September 2020Adobe rel

The August 2020 Security Update Review

vom 368.69 Punkte ic_school_black_18dp
August is here and so is the latest batch of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.Adobe Patches for August 2020The Adobe re

The May 2020 Security Update Review

vom 367.21 Punkte ic_school_black_18dp
May is upon us, and with it brings another bumper crop of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.Adobe Patches for May 2020The Adobe updat

The February 2020 Security Update Review

vom 364.89 Punkte ic_school_black_18dp
February is here, and with it comes some significant security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for February 2020The Adobe

CentOS Blog: CentOS Community newsletter, May 2020 (#2005)

vom 361.02 Punkte ic_school_black_18dp
Dear CentOS enthusiast, We hope you are all doing well and staying healthy, and, as always, thank you for being part of this great community. In this edition: News Releases and updates Events SIG reports News After a great deal of work with Red Hat Legal, we are p

The October 2020 Security Update Review

vom 329.47 Punkte ic_school_black_18dp
October is here and with it comes the latest security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.Adobe Patches for October 2020Adobe relea

CentOS Blog: CentOS Community newsletter, April 2020 (#2004)

vom 253.56 Punkte ic_school_black_18dp
Dear CentOS enthusiast, I hope you are all well. I know that this is a very difficult time for all of you, and that you likely have other things on your mind than CentOS, so I'll try to make it interesting this month. In this edition: News Releases and updates Event

Team Security Diskussion über The April 2020 Security Update Review