April 2020 Patch Tuesday – 113 Vulns, 19 Critical, Zero-Day Patches, SharePoint, Adobe ColdFusion
This month’s Microsoft Patch Tuesday addresses 113 vulnerabilities with 19 of them labeled as Critical. The 19 Critical vulnerabilities cover Adobe Font Manager Library (0-day), SharePoint, Hyper-V, Scripting Engines, Media Foundation, Microsoft Graphics, Windows Codecs, and Dynamics Business Central. Adobe released patches today for ColdFusion, After Effects, and Digital Editions.
The Scripting Engine, Adobe Font Manager Library, Media Foundation, Microsoft Graphics, and Windows Codecs patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Windows Kernel Privilege Escalation
While listed as Important, there is also an Actively Attacked privilege escalation vulnerability (CVE-2020-1027) in the Windows Kernel. Often privilege escalation vulnerabilities are “chained” with other vulnerabilities resulting in a full system compromise. This patch should be prioritized across all Windows devices.
Adobe Font Manager Library 0-day
Microsoft patched two Actively Attacked vulnerabilities (CVE-2020-0938, CVE-2020-1020) in the Adobe Font Manager Library that were announced in March. While Windows 10 systems are partially mitigated against the exploit, all Windows workstations should be prioritized for patching.
Hyper-V Hypervisor Escape
A remote code execution vulnerability (CVE-2020-0910) is patched in Hyper-V that would allow an authenticated user on a guest system to run arbitrary code on the host system. Microsoft notes that exploitation of this vulnerability is less likely, but these patches should still be prioritized for all Hyper-V systems.
Microsoft has also released patches for SharePoint covering four RCE vulnerabilities (CVE-2020-0929, CVE-2020-0931, CVE-2020-0932, CVE-2020-0974), and one XSS (CVE-2020-0927). The four RCEs involve uploading a malicious application package to exploit the vulnerabilities. These patches should be prioritized for all SharePoint servers.
Dynamics Business Central RCE
Similar to last month’s release, Dynamics Business Central is affected by a Remote Code Execution vulnerability (CVE-2020-1022) that could allow attackers to execute arbitrary shell commands on a target system. While this vulnerability is labeled as “Exploitation Less Likely,” considering the target is likely a critical server, this should be prioritized across all Dynamics BC/NAV systems.
Adobe issued patches today covering multiple vulnerabilities in ColdFusion, After Effects, and Digital Editions. The patches for ColdFusion are labeled as Priority 2, with the others are set to Priority 3. All patches are labeled as “Important.”
While none of the vulnerabilities disclosed in Adobe’s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed.