Microsoft released April 2020 security updates on Tuesday that fix 113 vulnerabilities ranging from simple spoofing attacks to remote code execution in various products, including Android App, Apps, Microsoft Dynamics, Microsoft Graphics Component, Microsoft JET Database Engine, Microsoft Office, Microsoft Office SharePoint, Microsoft Scripting Engine, Microsoft Windows, Microsoft Windows DNS, Open Source Software, Remote Desktop Client, Visual Studio, Windows Defender, Windows Hyper-V, Windows Kernel, Windows Media, and Windows Update Stack.
Description of Critical Vulnerabilities
Microsoft’s April patches fix 17 critical vulnerabilities, which are described as follows:
Microsoft Graphics Remote Code Execution Vulnerability
This vulnerability is due to the improper handling of crafted embedded fonts by Windows’ font library and can be exploited in various ways.
In a web-based scenario, an attacker could exploit this vulnerability by tricking a user into accessing a crafted website. In a file-sharing scenario, an attacker could exploit this vulnerability by convincing users to open a crafted document.
Microsoft Graphics Components Remote Code Execution Vulnerability
A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. This vulnerability could be triggered only when a user opens a crafted file. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system.
- CVE-2020-0929, CVE-2020-0931, and CVE-2020-0932
Microsoft SharePoint Remote Code Execution Vulnerability
Exploitation of these vulnerabilities requires that a user upload a specially crafted SharePoint application package to an affected version of SharePoint. An attacker who successfully exploited these vulnerabilities could execute arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.
- CVE-2020-0938 and CVE-2020-1020
Windows Adobe Font Manager Library Code Execution Vulnerability
Microsoft Windows is prone to a remote code execution vulnerability when the Windows Adobe Type Manager Library improperly handles a specially crafted multi-master font — Adobe Type 1 PostScript format.
For all systems except Windows 10, an attacker who successfully exploited these vulnerabilities could execute code remotely. For systems running Windows 10, an attacker who successfully exploited these vulnerabilities could execute code in an AppContainer sandbox context with limited privileges and capabilities.
In Internet Explorer, a remote code execution vulnerability exists in the way that the scripting engine handles objects in memory.
The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.
- CVE-2020-0970 and CVE-2020-0969
A remote code execution vulnerability exists in the way that the ChakraCore/Chakra scripting engine handles objects in memory. Affecting Microsoft Edge (HTML-based), these vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.