Otto background

Automox Patch Tuesday Breakdown: April 2020

Welcome to April’s Patch Tuesday Breakdown.

This month, Microsoft is rolling out security fixes for a total of 113 vulnerabilities, 15 of which are rated critical. April’s Patch Tuesday rollout also features patches for three actively exploited zero-day vulnerabilities and two publicly disclosed vulnerabilities.

Today, we’re also looking at a relatively small update from Adobe featuring security fixes for three products.

Earlier in April, Mozilla released two patches for zero-day vulnerabilities affecting their web browser, Firefox. Google Chrome also received several critical security updates as well.

Due to current events, many organizations have seen their remote workforce expand dramatically, seemingly overnight. Patching remote devices with legacy technology can be cumbersome in the modern tech landscape, for both IT staff and remote workers. Regardless, deploying security updates quickly remains as important as ever.

Check out last month’s breakdown for coverage of security updates from March.

Microsoft Releases Security Updates for Zero-Day Vulnerability

For April, Microsoft has released several patches that are especially noteworthy -- including a patch for a previously unknown vulnerability that is actively getting exploited in the wild.

CVE-2020-0938 is a remote code execution vulnerability that exists in Windows when Windows Adobe Type Manager Library fails to handle specially crafted OpenType fonts properly. Attackers can attempt exploitation of CVE-2020-0938 through a variety of approaches, such as tricking users into opening documents or visiting web pages that are designed to target this vulnerability. The patch from Microsoft corrects this by changing how OpenType fonts are handled by Windows Adobe Type Manager Library.

For all versions of Windows except Windows 10, this vulnerability could allow an attacker to run remote code -- allowing them to install programs, create new user accounts and view or change data. For Windows 10 users, this vulnerability could allow an attacker to run remote code within an App Container sandbox, giving them limited capabilities and privileges.

As a zero-day, this vulnerability is actively getting exploited in the wild and was not publicly disclosed; it’s existence was just revealed in today’s security update. While CVE-2020-0938 is technically rated as important, the fact that this vulnerability is getting exploited in the wild should put it on everyone’s radar.

Microsoft Patches Publicly Disclosed and Exploited Vulnerabilities

For April, Microsoft is releasing patches for a number of publicly disclosed and actively exploited vulnerabilities. These include:

CVE-2020-1020 is another zero-day vulnerability. It was first discovered a month ago, but a patch has just become available with April’s security update. CVE-2020-1020 is a remote code execution vulnerability found in Windows when Adobe Font Manager handles OpenType fonts improperly CVE-2020-1020 is a publicly disclosed vulnerability and is known to be exploited in the wild.

Attackers can attempt to take advantage of this CVE by convincing users to open a specially crafted document designed to target the vulnerability. If successful, the attacker can then run remote code -- allowing them to install programs, view or change data and create new user accounts.

Microsoft has also released a patch for another vulnerability known to be exploited, CVE-2020-0968. This is a scripting engine memory corruption vulnerability found in the way Internet Explorer’s scripting engine handles objects in memory. Attackers can potentially exploit this vulnerability to gain current user-level privileges and take control of the system. There are multiple ways in which a malicious actor could prey on this CVE, including convincing users to view specially crafted websites or web content that is designed to target the vulnerability.

The patch from Microsoft resolves this issue by changing how the scripting engine in Internet Explorer handles objects in memory.

CVE-2020-1027 is a privilege elevation vulnerability which occurs in the way Windows Kernel handles objects in memory. A locally authenticated attacker can attempt exploitation by running an application designed to target this vulnerability. If successful, the attacker can then run code with elevated privileges. Microsoft’s security update addresses this issue and ensures Kernel handles objects in memory.

Another highlight from this month’s Patch Tuesday is CVE-2020-0935. This is a publicly disclosed vulnerability involving elevation of privilege.

CVE-2020-0935 is a vulnerability that occurs when OneDrive for Windows Desktop handles symbolic links incorrectly. Attackers can attempt exploitation by logging into the target system and running an application crafted for taking advantage of this vulnerability. If successful, attackers can use this vulnerability to elevate status and take control of the victim system. Microsoft’s security update addresses this issue by correcting how OneDrive for Windows Desktop handles symbolic links. CVE-2020-0935 is a publicly disclosed vulnerability, but is not known to have been exploited in the wild at the time of this reporting.

More Important Updates From Microsoft

In addition to these important security updates from Microsoft, there are also 15 critically rated patches to deploy this month. These include:

  • CVE-2020-0687
  • CVE-2020-0907
  • CVE-2020-0910
  • CVE-2020-0927
  • CVE-2020-0929
  • CVE-2020-0931
  • CVE-2020-0932
  • CVE-2020-0948
  • CVE-2020-0949
  • CVE-2020-0950
  • CVE-2020-0965
  • CVE-2020-0969
  • CVE-2020-0970
  • CVE-2020-0974

Microsoft recommends deploying patches as soon as possible. Due to the current influx of remote workers many organizations are facing, IT staff may need to prioritize and stagger their patching schedules to fit their needs. Ensuring every device is receiving necessary security updates is essential, and the dramatic shift in how workforce operations are run may affect the process patch deployment.

Other Security Updates for April

For April, Adobe has released a light security update featuring fixes for three products, ColdFusion, After Effects and Digital Editions.

Adobe ColdFusion 2016 and 2018 get three patches this month:

  • CVE-2020-3767
  • CVE-2020-3768
  • CVE-2020-3796

Adobe After Effects receives a patch for CVE-2020-3809 and Adobe Digital Editions receives a patch for CVE-2020-3798. All of these vulnerabilities are rated as important and none are known to be exploited in the wild.

Earlier in April, Mozilla released patches for exploited security flaws in Firefox. Two versions of the web browser, Firefox 74.0 and Firefox ESR 68.6.0, are affected by the vulnerabilities. Mozilla ranks these flaws as critical and the patches should be deployed as soon as possible.

The latest version of Google Chrome, browser version 80.0.3987.162, was also released in early April. A total of eight security flaws were fixed in the update. Among these, the Center for Internet Security reports, is a critical flaw that could lead to arbitrary code execution within the context of the browser. Depending on the application’s privileges, a successful exploit could allow attackers to view, change or delete data.

April is going to be a busy month for IT staff, there’s little doubt about that. In addition to a slew of security updates to deploy, there are many new challenges organizations may be facing today -- including the challenge of keeping their systems secure in the wake of a critical event.  Many organizations have made a sudden shift to remote work, which means the number of remote endpoints IT staffers are patching has probably gone up exponentially. VPN has long been the go-to for managing remote devices and connecting them to corporate infrastructure. If your VPN’s bandwidth can’t handle an influx of traffic, employees may not be able to connect to it all. This means their devices may go unpatched for days or weeks until they decide to try connecting again.

Cloud-based patching platforms can streamline the patching process and reduce the time it takes to deploy patches across all devices -- no matter where they’re located. Attackers can weaponize a new critical vulnerability in as little as seven days -- and zero-day vulnerabilities have already been weaponized at the time of disclosure. Patching sooner rather than later is essential for organizations looking to end vulnerabilities today, before attackers sink their hooks in.

About Automox Automated Patch Management

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

Dive deeper into this topic