Exploits & Vulnerabilities
April Patch Tuesday: Fixes for Font-Related, Microsoft SharePoint, Windows Components Vulnerabilities
Microsoft’s Patch Tuesday for April released fixes for a couple of critical font-related vulnerabilities, like an earlier disclosed one found in Adobe Type Manager Library (atmfd.dll). It also featured patches for vulnerabilities in Microsoft SharePoint and Windows Components.
Microsoft fixed 113 vulnerabilities in this month’s Patch Tuesday, just two shy of last month’s 115. This continues the streak of longer-than-usual list of patches that began in January. In fact, compared to the same period in 2019, Microsoft fixed 44% more vulnerabilities between January to April of this year.
In this month’s list, 17 were rated as critical, and 96 were rated as important. Three of the bugs addressed this month were identified as vulnerabilities under active attack. Included in the list of fixes is the font-related vulnerability announced in Microsoft’s security advisory soon after March’s Patch Tuesday. Mitigations and workarounds were disclosed in the same announcement, and Trend Micro also released rules for this flaw. This month’s list also includes patches for another associated critical font-related vulnerability.
Cloud-based document management and collaboration platform Microsoft SharePoint had its fair share of fixes for vulnerabilities, ranging from important to critical, that involved Remote Code Execution (RCE), cross-site scripting (XSS), and spoofing.
Joining these patches are ones for privilege escalation through various Windows components, including Microsoft Defender.
Find more details on some of the notable vulnerabilities that were patched in April below.
Font-Related Vulnerabilities
The earlier released vulnerability found in Adobe Type Manager Library (atmfd.dll), which is used to render fonts with the Adobe Type 1 PostScript format, is now officially listed as CVE-2020-1020. Threat actors can exploit this vulnerability by convincing users to open or view specially crafted documents. A related vulnerability involving OpenType Font Parsing, CVE-2020-0938, was also fixed. Both vulnerabilities that are listed as under active attack allow RCE, allowing threat actors to gain unauthorized access and control the affected device.
Microsoft Office SharePoint Vulnerabilities
Vulnerabilities related to Microsoft SharePoint come up to 20, with the critical ones (CVE-2020-0929, CVE-2020-0931, CVE-2020-0932, and CVE-2020-0974) allowing RCE through the SharePoint application pool and the SharePoint server farm account.
Vulnerabilities that involve XSS were also fixed. One such vulnerability, CVE-2020-0927, was ranked as critical. Attackers exploit this by sending a specially crafted request to a SharePoint server. If successful, attackers can inject malicious content in the browser and perform unauthorized actions such as access and modify content and permissions.
Lastly, fixes for vulnerabilities that permitted spoofing were also released. Left unpatched, these can allow malicious parties to impersonate devices and users. Threat actors can then use this to attack network hosts, propagate malware, and steal information.
Windows Components Vulnerabilities
Patches for CVE-2020-1002 and CVE-2020-0835, two vulnerabilities found in the Microsoft Defender anti-malware platform, were added to this release. Both vulnerabilities are linked to privilege escalation, which threat actors use to gain unauthorized, elevated access on systems or networks.
Vulnerabilities of similar nature were also found and fixed in Microsoft DirectX (CVE-2020-0784 and CVE-2020-0888), Win32K (CVE-2020-0956, CVE-2020-0957, and CVE-2020-0958), Windows Graphics Component (CVE-2020-1004), and Windows Kernel (CVE-2020-1027 is identified as a vulnerability that’s being exploited in the wild).
CVE-2020-0993, which can cause denial of service (DoS) in Windows DNS service, was patched in this release. To exploit this vulnerability, attackers send malicious DNS queries, causing the service to become nonresponsive. The fix corrected how Windows DNS processes queries.
The fix for CVE-2020-0981 addressed the Windows Token security feature bypass vulnerability that allows sandbox escape, since applications with a certain integrity level are permitted to execute code at a different integrity level. The update corrects how Windows handles token relationships.
Trend Micro solutions
Users are advised to patch affected systems as soon as fixes are released. Users are also advised to install security solutions that will safeguard against attacks targeting these vulnerabilities.
Trend Micro™ Deep Security™ and Vulnerability Protection protects users from exploits that target these vulnerabilities via the following rules:
- 1010207 – Microsoft Windows Multiple Type1 Font Parsing Remote Code Execution Vulnerabilities (CVE-2020-1020 and CVE-2020-0938)
- 1010220 – Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-0968)
Trend Micro™ TippingPoint® protects customers through the following rules:
- 36978: HTTP: Microsoft SharePoint Scorecards Deserialization of Untrusted Data Vulnerability
- 36982: HTTP: Microsoft Windows JET Database Engine Out-Of-Bounds Write Vulnerability
- 37050: HTTP: Microsoft Windows JET Database Engine Memory Corruption Vulnerability
- 37331: HTTP: Microsoft Excel XLSM File Information Disclosure Vulnerability
- 37369: HTTP: Microsoft Excel XLS File Use-After-Free Vulnerability
- 37431: HTTP: Microsoft Windows Type 1 PostScript Parsing Memory Corruption Vulnerability
- 37484: HTTP: Microsoft Internet Explorer CScriptRuntime Use-After-Free Vulnerability
- 37500: HTTP: Microsoft Windows ATMFD Code Execution Vulnerability