Exploits & Vulnerabilities
Patch Tuesday: Fixes for LNK, RDP, and Trident
February Patch Tuesday brings an even wider range of fixes than January. It addresses a total of 99 vulnerabilities — including 12 classified as Critical. Only five of the vulnerabilities were made public before the patches were released.
The first Patch Tuesday of 2020 in January brought an unusually long list of patches, but February brings an even wider range of fixes that address a total of 99 vulnerabilities — including 12 classified as Critical, with the remaining 99 deemed Important. Only five of the vulnerabilities were made public before the patches were released; one of these was rated as Critical.
New Critical vulnerabilities of note include Remote Code Execution (RCE) flaws in both .LNK handling and Remote Desktop that could allow attackers to gain full user rights when exploited. This type of attack could lead to loss of control over a system or its individual components, as well as theft of sensitive data. A vulnerability in the legacy Trident-based Internet Explorer browser is the only Critical vulnerability that was reported as being exploited in the wild.
On the other hand, privilege escalation vulnerabilities have always been a common threat, but the number (55) this month is staggering. Hackers use a number of ways to exploit vulnerabilities this way, such as manipulating access tokens, bypassing user account control, or hijacking a DLL search order.
Here’s a closer look at the notable vulnerabilities that have been patched this month:
Scripting Engine Memory Corruption Vulnerability
CVE-2020-0674 is a vulnerability in how the Trident rendering engine handles objects in memory. An attacker could use this flaw to run code with the same privileges as the logged in user. Using Internet Explorer is not necessary to trigger this flaw; other methods (such as specially crafted Office documents) can be used. This flaw was first noted by Microsoft in mid-January and is the only Critical flaw that was being exploited before today.
LNK Vulnerability
Among all the consequential RCE vulnerabilities listed, the most significant is CVE-2020-0729, a vulnerability that could be exploited using a removable drive or via a remote share with a malicious .LNK file and an associated malicious binary. Successfully exploiting this vulnerability could give attackers the same user rights as the local user.
Remote Desktop Vulnerabilities
Vulnerabilities in various aspects of Remote Desktop continued to be found and patched. CVE-2020-0681 and CVE-2020-0734 are RCE vulnerabilities that exist in the Windows Remote Desktop Client. Attackers could exploit these vulnerabilities by executing an arbitrary code when a user connects to a malicious server. This then allows them to install programs, access and modify data, as well as create new accounts with full user rights.
CVE-2020-0655 is an RCE vulnerability in Remote Desktop Services (formerly known as Terminal Services). No user interaction is required to exploit this vulnerability; authenticated attackers could send specially-crafted requests to their target systems’ Remote Desktop Service via Remote Desktop Protocol (RDP) to execute an arbitrary code and gain full user rights.
CVE-2020-0660 is a denial-of-service vulnerability that attackers can exploit in RDP Gateway servers. If successful, they can connect to a vulnerable target server using RDP and send custom requests that could cause the RDP service on the target system to stop responding.
Privilege Escalation Vulnerabilities
The 55 privilege escalation vulnerabilities patched this month were for various components, including the Windows kernel, Search Indexer, DirectX, and Malicious Software Removal Tool. One of the more serious threats, CVE-2020-0692, can be abused by executing a man-in-the-middle (MITM) attack to forward an authentication request to a Microsoft Exchange Server. This allows attackers to impersonate another Exchange user.
Trend Micro solutions
Users can protect systems from threats targeting the vulnerabilities included in this month’s Patch Tuesday by updating affected installations. Users can also install solutions like Trend Micro™ Deep Security™ and Vulnerability Protection, which provide an automated shield system that minimizes disruptions and ensures that critical applications and sensitive enterprise data stay protected, updating or creating rules to address applicable vulnerabilities found. The following rules have been released to cover the appropriate vulnerabilities:
- 1010133-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-0674)
- 1010150-Microsoft Windows Remote Desktop Client Remote Code Execution Vulnerability (CVE-2020-0681)
- 1010151-Identified Usage Of 'X-JsonProxySecurityContext' HTTP Header
Trend Micro™ TippingPoint® customers are protected from threats and attacks that may exploit some of the vulnerabilities fixed this month via the following MainlineDV filters:
- 36973: HTTP: Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability
- 37063: HTTP: HTTP X-JsonProxySecurityContext Header Usage
- 37093: RDP: Microsoft Remote Desktop Services serverMultiTransportData Usage