Overview
Microsoft released the January security update on Tuesday, fixing 49 security issues ranging from simple spoofing attacks to remote code execution, discovered in products like .NET Framework, Apps, ASP.NET, Common Log File System Driver, Microsoft Dynamics, Microsoft Graphics Component, Microsoft Office, Microsoft Scripting Engine, Microsoft Windows, Microsoft Windows Search Component, Windows Hyper-V, Windows Media, Windows RDP, Windows Subsystem for Linux, and Windows Update Stack.
Of the vulnerabilities fixed by Microsoft’s this monthly update, a total of eight critical vulnerabilities exist in the .NET Framework, ASP.NET, Microsoft Scripting Engine, and Windows RDP. In addition, there are 41 important vulnerabilities.
Critical Vulnerabilities
The following are eight critical vulnerabilities covered in this update.
Windows RDP
- CVE-2020-0609、CVE-2020-0610
These two remote code execution vulnerabilities in the Windows Remote Desktop Gateway (RD Gateway) could be exploited by unauthenticated attackers.
If the two vulnerabilities are exploited successfully, arbitrary code may be executed on the target system, allowing the attacker to install the program, view, change or delete data, or create a new account with full user rights.
To exploit this vulnerability, an attacker needs to send a specially crafted request to the RD gateway of the target system via RDP.
This update addresses these issues by correcting the way the RD gateway handles connection requests.
For more details about the vulnerabilities and download updates, please refer to Microsoft’s official security advisories:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610
- CVE-2020-0611
This is a remote code execution vulnerability in Windows Remote Desktop clients.
An attacker who successfully exploited this vulnerability could execute arbitrary code on a user’s computer connected to a malicious server. After that, an attacker could install a malicious program, view, change, or delete data, or create a new account with full user rights.
To exploit this vulnerability, an attacker needs to take control of the server and then convinces a user to connect to the server. This vulnerability could be triggered if a user accesses a malicious server. Although attackers cannot force users to connect to malicious servers, they may entice users to connect through social engineering, DNS poisoning, or man-in-the-middle (MITM) technology. An attacker could also compromise a legitimate server, host malicious code on it, and wait for users to connect.
For more details about the vulnerabilities and download updates, please refer to Microsoft’s official security advisories:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0611
Microsoft Scripting Engine
- CVE-2020-0640
This is a memory corruption vulnerability in the way Internet Explorer handles objects in memory. The vulnerability allows an attacker to execute arbitrary code in the context of the current user.
An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user logs in with administrative privileges, an attacker could take control of the affected system and may then install a malicious program, view, change or delete data, or create a new account with full user privileges.
An attacker could build a specially crafted website and then convince users to visit the website. However, attackers cannot force users to view malicious contents, but entice users by email or instant messaging instead.
Internet Explorer 9, 10, and 11 are affected.
For more details about the vulnerabilities and download updates, please refer to Microsoft’s official security advisories:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0640
ASP.NET and .NET Framework
- CVE-2020-0603, CVE-2020-0605, CVE-2020-0606, and CVE-2020-0646
The above vulnerabilities are remote code execution vulnerabilities in .NET and ASP.NET Core software. These vulnerabilities can be triggered if a user opens a maliciously crafted file while using an affected .NET or ASP.NET Core version. With a successful exploitation, an attacker could execute arbitrary code in the context of the current user. These errors exist in the way the software handles memory objects.
For more details about the vulnerabilities and download updates, please refer to Microsoft’s official security advisories:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0603
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0605
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0606
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0646
Important Vulnerabilities
In addition to critical vulnerabilities, this update also fixes 41 important vulnerabilities, three of which require more attention as follows.
CVE-2020-0601
This is a spoofing vulnerability in Windows CryptoAPI. As the Elliptic Curve Cryptography certificate was incorrectly verified by crypt32.dll, an attacker could use this error to spoof a code signing certificate and secretly sign a file, making the file appear to come from a trusted source. Attackers could also use this vulnerability to conduct man-in-the-middle attacks and decrypt confidential information.
For more details about the vulnerabilities and download updates, please refer to Microsoft’s official security advisories:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
CVE-2020-0616
This is a Microsoft Windows denial-of-service vulnerability. The vulnerability exists when Windows cannot properly handle hard links. An attacker who successfully exploits this vulnerability could cause the target system to stop responding.
An attacker must log in to the victim’s computer to exploit this vulnerability and then run a specially designed application that could allow the attacker to overwrite system files.
For more details about the vulnerabilities and download updates, please refer to Microsoft’s official security advisories:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0616
CVE-2020-0654
A security feature bypass vulnerability exists in Android’s Microsoft OneDrive application. This could allow an attacker to bypass the password or fingerprint of the application.
For more details about the vulnerabilities and download updates, please refer to Microsoft’s official security advisories:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0654
Remediation
Bugs fixed in this update are shown in the following table:
| Product | CVE ID | CVE Title | Severity Level |
| .NET Framework | CVE-2020-0605 | .NET Framework Remote code execution vulnerability | Critical |
| .NET Framework | CVE-2020-0606 | .NET Framework Remote code execution vulnerability | Critical |
| .NET Framework | CVE-2020-0646 | .NET Framework Remote Code Execution Injection Vulnerability | Critical |
| Apps | CVE-2020-0654 | Microsoft OneDrive for Android Security feature bypass vulnerability | Important |
| ASP.NET | CVE-2020-0602 | ASP.NET Core Denial of service vulnerability | Important |
| ASP.NET | CVE-2020-0603 | ASP.NET Core Remote code execution vulnerability | Critical |
| Common Log File System Driver | CVE-2020-0615 | Windows Common Log File System Driver Information Disclosure Vulnerability | Important |
| Common Log File System Driver | CVE-2020-0639 | Windows Common Log File System Driver Information Disclosure Vulnerability | Important |
| Common Log File System Driver | CVE-2020-0634 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important |
| Microsoft Dynamics | CVE-2020-0656 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-0607 | Microsoft Graphics Components Information Disclosure Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-0622 | Microsoft Graphics Component Information Disclosure Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-0642 | Win32k Elevation of Privilege Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-0643 | Windows GDI+ Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2020-0647 | Microsoft Office Online Fraud | Important |
| Microsoft Office | CVE-2020-0650 | Microsoft Excel Remote code execution vulnerability | Important |
| Microsoft Office | CVE-2020-0651 | Microsoft Excel Remote code execution vulnerability | Important |
| Microsoft Office | CVE-2020-0652 | Microsoft Office Memory corruption | Important |
| Microsoft Office | CVE-2020-0653 | Microsoft Excel Remote code execution vulnerability | Important |
| Microsoft Scripting Engine | CVE-2020-0640 | Internet Explorer Memory corruption | Critical |
| Microsoft Windows | CVE-2020-0601 | Windows CryptoAPI Fraud | Important |
| Microsoft Windows | CVE-2020-0608 | Win32k Information Disclosure Vulnerability | Important |
| Microsoft Windows | CVE-2020-0616 | Microsoft Windows Denial of service vulnerability | Important |
| Microsoft Windows | CVE-2020-0620 | Microsoft Cryptographic Services Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-0621 | Windows Security feature bypass vulnerability | Important |
| Microsoft Windows | CVE-2020-0624 | Win32k Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-0635 | Windows Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-0644 | Windows Elevation of Privilege Vulnerability | Important |
| Microsoft Windows Search Component | CVE-2020-0613 | Windows Search Indexer Elevation of Privilege Vulnerability | Important |
| Microsoft Windows Search Component | CVE-2020-0614 | Windows Search Indexer Elevation of Privilege Vulnerability | Important |
| Microsoft Windows Search Component | CVE-2020-0623 | Windows Search Indexer Elevation of Privilege Vulnerability | Important |
| Microsoft Windows Search Component | CVE-2020-0625 | Windows Search Indexer Elevation of Privilege Vulnerability | Important |
| Microsoft Windows Search Component | CVE-2020-0626 | Windows Search Indexer Elevation of Privilege Vulnerability | Important |
| Microsoft Windows Search Component | CVE-2020-0627 | Windows Search Indexer Elevation of Privilege Vulnerability | Important |
| Microsoft Windows Search Component | CVE-2020-0628 | Windows Search Indexer Elevation of Privilege Vulnerability | Important |
| Microsoft Windows Search Component | CVE-2020-0629 | Windows Search Indexer Elevation of Privilege Vulnerability | Important |
| Microsoft Windows Search Component | CVE-2020-0630 | Windows Search Indexer Elevation of Privilege Vulnerability | Important |
| Microsoft Windows Search Component | CVE-2020-0631 | Windows Search Indexer Elevation of Privilege Vulnerability | Important |
| Microsoft Windows Search Component | CVE-2020-0632 | Windows Search Indexer Elevation of Privilege Vulnerability | Important |
| Microsoft Windows Search Component | CVE-2020-0633 | Windows Search Indexer Elevation of Privilege Vulnerability | Important |
| Windows Hyper-V | CVE-2020-0617 | Hyper-V Denial of service vulnerability | Important |
| Windows Media | CVE-2020-0641 | Microsoft Windows Elevation of Privilege Vulnerability | Important |
| Windows RDP | CVE-2020-0609 | Windows Remote Desktop Gateway (RD Gateway) Remote code execution vulnerability | Critical |
| Windows RDP | CVE-2020-0610 | Windows Remote Desktop Gateway (RD Gateway) Remote code execution vulnerability | Critical |
| Windows RDP | CVE-2020-0611 | Remote Desktop Client Remote code execution vulnerability | Critical |
| Windows RDP | CVE-2020-0612 | Windows Remote Desktop Gateway (RD Gateway) Denial of service vulnerability | Important |
| Windows RDP | CVE-2020-0637 | Remote Desktop Web Access Information Disclosure Vulnerability | Important |
| Windows Subsystem for Linux | CVE-2020-0636 | Windows Subsystem for Linux Elevation of Privilege Vulnerability | Important |
| Windows Update Stack | CVE-2020-0638 | Update Notification Manager Elevation of Privilege Vulnerability | Important |
Recommended Mitigation Measures
Microsoft has released security updates to fix these issues. Please download and install them as soon as possible.
Affected Software
The following tables list the affected software details for the vulnerability.
| CVE-2020-0654 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| One Drive for Android | Release Notes Security Update | Important | Security Feature Bypass | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
Affected Software
The following tables list the affected software details for the vulnerability.
| CVE-2020-0656 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Dynamics 365 Field Service (on-premises) v7 series | Relelase Notes Security Update | Important | Spoofing | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Information Technology Co. Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.
Download: Microsoft Security Update for January 2020 Fixes 49 Security Vulnerabilities
