January 2020 Patch Bulletin

January 2020 Patch Bulletin

This month we have 50 unique CVE’s, 5 technologies with critical updates, and one critical zero-day vulnerability. 

Microsoft  announced that a critical zero-day vulnerability  had been found in the scripting engine of the Internet Explorer (IE) web browser.

The vulnerability  impacts IE across all versions of Windows and can corrupt memory so that an attacker can execute arbitrary code.

An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. There are already reports that this vulnerability is actively exploited.

There is no patch being released from Microsoft so far and since that was officially reported to Microsoft 2 months ago – we don’t expect one to be developed any time soon.

**Please do not use Internet Explorer for browsing.**

It is also important to pay attention to CVE-2020-0601.  This vulnerability could allow an attacker to sign malicious executables using a spoofed code-signing certificate.  Microsoft also acknowledged the National Security Agency for finding this vulnerability.   

 CVE-2020-0601| Windows CryptoAPI Spoofing Vulnerability

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.

An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.

A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

For additional details, please find the information from Microsoft below:

 

Technology Products Affected SeverityReferenceWorkaround/Exploited/ Publicly Disclosed Vulnerability Info
 
Windows Windows 7, 8.1, 8.1 RT, 10, Server 2008, 2012, 2012R2, 2016, 2019Critical CVE-2020-0601
CVE-2020-0607
CVE-2020-0608
CVE-2020-0609
CVE-2020-0610
CVE-2020-0611
CVE-2020-0612
CVE-2020-0613
CVE-2020-0614
CVE-2020-0615
CVE-2020-0616
CVE-2020-0617
CVE-2020-0620
CVE-2020-0621
CVE-2020-0622
CVE-2020-0623
CVE-2020-0624
CVE-2020-0625
CVE-2020-0626
CVE-2020-0627
CVE-2020-0628
CVE-2020-0629
CVE-2020-0630
CVE-2020-0631
CVE-2020-0632
CVE-2020-0633
CVE-2020-0634
CVE-2020-0635
CVE-2020-0636
CVE-2020-0637
CVE-2020-0638
CVE-2020-0639
CVE-2020-0641
CVE-2020-0642
CVE-2020-0643
CVE-2020-0644
Workaround: No
Exploited: No
Public: No
Spoofing
Denial of Service
Elevation of Privilege
Information Disclosure
Remote Code Execution
Security Feature Bypass
IE9, 10, 11CriticalCVE-2020-0640Workaround: No
Exploited: No
Public: No
Remote Code Execution
Office, Office Services, Office Web AppsOffice 365 ProPlus
Office 2010, 2013, 2016, 2019
Excel 2010, 2013, 2016
Office 2016 for Mac, 2019 for Mac
SharePoint Enterprise Server 206
SharePoint Foundation Server 2010, 2013
ImportantCVE-2020-1491
CVE-2020-0647
CVE-2020-0650
CVE-2020-0609
CVE-2020-0651
CVE-2020-0652
CVE-2020-0653
CVE-2020-0654
Workaround: No
Exploited: No
Public: No
Information Disclosure
Security Feature Bypass
Remote Code Execution
Spoofing
ASP .NET CoreASP .NET Core 2.1, 3.0, 3.1CriticalCVE-2020-0602
CVE-2020-0603
Workaround: No
Exploited: No
Public: No
Denial of Service
Remote Code Execution
.NET Core.NET Core 3.0, 3.1CriticalCVE-2020-0605
CVE-2020-0606
Workaround: No
Exploited: No
Public: No
Remote Code Execution
.NET Framework.NET 3.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8CriticalCVE-2020-0605
CVE-2020-0606
CVE-2020-0646
Workaround: No
Exploited: No
Public: No
Remote Code Execution
One Drive for AndroidOne Drive for AndroidImportantCVE-2020-0654Workaround: No
Exploited: No
Public: No
Security Feature Bypass
Microsoft DynamicsDynamics 365 Field Service (on-premises) v7 seriesImportantCVE-2020-0656Workaround: No
Exploited: No
Public: No
Spoofing

In case of any questions or clarifications please feel free to reach out to ECHO’s Service Desk.