Welcome to January's Patch Tuesday breakdown.
This month, we're looking at the first security updates of the new year. Microsoft's first update for 2020 includes fixes for 49 security vulnerabilities, eight of which are rated “Critical.” While this month is relatively light in terms of quantity, there are some substantial threats getting addressed this month. One of the critical vulnerabilities remedied for January, CVE-2020-0601, is getting special attention from the NSA – but it is not the only vulnerability to look out for this month. On the server side of things, there is a critical RDP vulnerability (CVE-2020-0609) which allows for remote code execution.
Windows 7 and Windows Server 2008 are receiving their last free patches this month as support from Microsoft will be discontinued. But the end of support doesn't mean the end of security risks, so organizations should take the appropriate steps to secure their legacy devices.
This month, Adobe has also issued critical security updates –and Mozilla has released a fix for a zero-day vulnerability in the Mozilla Firefox web browser.
After surviving the holidays, we can all be grateful for the low volume of security updates this month, though there are some substantial vulnerabilities that need to be corrected sooner rather than later. And be sure to check out last month's breakdown for coverage of December's Patch Tuesday update.
Microsoft fixes 49 vulnerabilities, 8 critical
Of the 49 security fixes released this month from Microsoft, eight are rated “Critical,” with one drawing special attention from the NSA. According to reports, the NSA discovered CVE-2020-0601 and actually alerted Microsoft to the problem instead of weaponizing the vulnerability.
The NSA has even released a statement on this month's Patch Tuesday, specifically to discuss this particular vulnerability and encourage users to patch their systems.
CVE-2020-0601 is a Windows CryptoAPI Spoofing Vulnerability. The vulnerability exists in the way Windows CryptoAPI authenticates Elliptic Curve Cryptography certificates, and it affects Windows 10 users.
Attackers can exploit this vulnerability by using spoofed code-signing certificates to sign malicious files and make them appear to be from trusted, legitimate providers. Users would have no way of knowing the files are malicious because the digital signatures appear to be from trusted sources. Successful exploitation can allow attackers to run man-in-the-middle attacks and decrypt confidential information.
As the NSA cautions, patching is the most effective way to mitigate the risks of this security vulnerability.
CVE-2020-0601 is not the only critical vulnerability addressed this month, though it may be getting the most attention.
Microsoft tackles critical RDP vulnerabilities
For January, Microsoft has also released fixes for three critical remote desktop vulnerabilities:
CVE-2020-0609 and CVE-2020-0610 are both remote code execution vulnerabilities that exist in Windows Remote Desktop Gateway. Unauthenticated attackers can connect to the victim system via RDP and send specially targeted requests. Attackers who successfully exploit this vulnerability can run arbitrary code on the victim system, allowing them to view and change data, install programs and create new accounts with full user rights. Once an attacker has access, lateral movement throughout the network is hard to stop.
These vulnerabilities are also pre-authentication, which means they require no user interaction to execute.
CVE-2020-0609 is rated a 9.8 on the CVSS scale, which means it is very highly ranked in terms of severity. Windows Servers 2012, 2016 and 2019 are affected by CVE-2020-0609 and -0610.
In the update, Microsoft corrects these issues by changing how Remote Desktop Gateway handles connection requests.
CVE-2020-0611 is a remote code execution vulnerability that exists in Windows Remote Desktop Client when users connect to a malicious server. Attackers can trick users into connecting to a malicious server through a variety of means, such as DNS poisoning, social engineering or ma-in-the-middle attacks. A legitimate server can also be compromised and used to host malicious code while the attacker “lies in wait.”
If successful, attackers can exploit this vulnerability to run arbitrary code on the computer of the connecting client, allowing them to view and change data, install programs and create new user accounts.
The update resolves this issue by correcting how Remote Desktop Client handles connection requests.
More updates from Microsoft
There are four other critical updates from Microsoft to take a look at this month. These include:
CVE-2020-0603 is a remote code execution vulnerability that occurs in ASP.NET Core software when the software fails to handle objects in memory. Attackers can exploit this vulnerability by tricking users into opening a specially crafted file – such as with an email attack. If successful, attackers can then run arbitrary code within the context of the current user. If the account has administrative rights, attackers can view and change data, install programs and create new user accounts. User accounts without admin-level access may have a lesser impact.
To address this issue, the fix from Microsoft corrects how ASP.NET Core handles objects in memory.
CVE-2020-0605 and CVE-2020-0606 are both .NET Framework remote code execution vulnerabilities that exist in .NET software, when the software fails to handle objects in memory. To exploit, attackers need to convince users to open a specially crafted file with an affected version of the .NET framework.
This is resolved by correcting how .NET Framework checks the source markups of files.
CVE-2020-0646 is another remote code execution vulnerability that exists in the .NET Framework. This vulnerability occurs when .NET framework fails to validate input correctly. Attackers who successfully exploit this vulnerability can seize control of the victim system.
Microsoft corrects this by changing how the .NET Framework validates inputs.
Updates from Adobe and Firefox
Both Adobe and Firefox have released important updates for January. This month's update from Adobe tackles nine security flaws in total – five of which are critical flaws in Adobe Illustrator CC.
The five vulnerabilities in Illustrator include:
All five can contribute to arbitrary code execution and can leave Illustrator vulnerable to a memory corruption attack. Adobe also released four “important” and “moderate” updates for Adobe Experience Manager.
Mozilla has also released a critical update for the Mozilla Firefox web browser. Released on January 8, 2020, CVE-2019-17026 is a critical flaw that is already being exploited in the wild. According to reports, “Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion.”
While January may be light in terms of patching volume, there are several substantial vulnerabilities to resolve this month – and there is also the end of support for Windows 7 and Windows Server 8 to reckon with. The new year is a great time to ensure all your devices are current with the latest software, system and security updates.
About Automox Automated Patch Management
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.