[German]On April 14, 2020 a series of security updates for Windows, Office etc. were released. These partially close 0-day vulnerabilities, but there is also collateral damage. For example, VBA code signing no longer works after installing the Office security updates. Here is an overview of what I have seen so far.
Advertising
I had already published details about the respective updates in the blog posts linked at the end of the article. This is about critical vulnerabilities and problems caused by the updates.
Vulnerabilities attacked in the wild
The Zero-Day Initiative (ZDI) has published an overview of all vulnerabilities addressed by Microsoft via update in this article. Here is the list of the attacked vulnerabilities.
Vulnerability CVE-2020-1020
CVE-2020-1020 is the Adobe Font Manager Type Library Remote Code Execution vulnerability in Windows 7, already known in March 2020, which could be exploited by an attacker to execute their code on affected systems (with the privileges of the user). To do this, the user must view a document with a specially crafted font. Only customers with an ESU license will receive the patch for Windows 7 and Server 2008. However, alternatives are BypassESU and 0patch, which close this vulnerability even without an ESU license (see also Patchday: Updates for Windows 7/8.1/Server (April 14, 2020) and 0patch fixes 0-day Adobe Type Library bug in Windows 7).
Vulnerability CVE-2020-0938
CVE-2020-0938 is an OpenType font parsing remote code execution vulnerability. This bug is related to the previous vulnerability CVE-2020-1020, although it affects a different font renderer. There are also active attacks listed here. Again, an attacker could execute his code on a target system if a user viewed a specially crafted font. We should also note that Windows 10 systems are less affected by these flaws because the code would be executed in an AppContainer sandbox. Win7 users also need an ESU license for this patch.
But here is a problem: So far there seems to be no patch from Microsoft for the vulnerability. Windows 7 users would need an ESU license for this patch. Only 0patch has a micro-patch for Windows 7 that prevents the exploitation of the vulnerability.
Vulnerability CVE-2020-0993
CVE-2020-0993 is a Windows DNS Denial of Service vulnerability. A patch released by Microsoft fixes a Denial of Service (DoS) error in the Windows DNS service. Note that this is the DNS service and not the DNS server, so client systems are also affected by this vulnerability. An attacker could cause the DNS service not to respond by sending some specially crafted DNS queries to an affected system. Since this is not code execution, only this is considered important. However, given the damage that could be caused by an unauthenticated attacker, this should be at the top of the test and deployment list.
Advertising
Vulnerability CVE-2020-0981
CVE-2020-0981 is a Windows Token Security Feature Bypass vulnerability. This vulnerability allows you to escape from a sandbox. The vulnerability results from improper handling of token relationships by Windows. Attackers could exploit this to allow an application with a certain integrity level to execute code at another – presumably higher – integrity level. This only affects Windows 10 version 1903 and higher and has been patched by an update.
Miscellaneous
The following tweet takes up a discussion of the number of 0-day vulnerabilities patched in April 2020.
There's a lot of confusion this month about the number of 0days Microsoft patched this month. Many reports of only 3, but by my count there are 4: CVE-2020-0938, CVE-2020-1020, CVE-2020-0674 and CVE-2020-1027. https://t.co/C1GgmHr550
— Dan Goodin (@dangoodin001) April 15, 2020
There is also this post on askwoody.com that deals with the number of 0-day vulnerabilities that are exploited.
By the way, the Microsoft Malicious Software Removal Tool was not updated in April 2020 – see also this comment.
Issues with the April 2020 updates
The security updates of April 14, 2020 lead to installation aborts and subsequent errors for some users.
Temporary user profile
Some users, like here, run into the problem that updates like KB4549951 corrupt the user profile, so that the user is logged on to a temporary user profile after installation. I had already addressed this issue in the article Windows 10: Update KB4532693 kills user data/profile and other blog posts.
Various installation errors
Some users cannot install the update because the process terminates with an installation error. In this comment, update KB4549951 (Windows 10 version 1909) reports the error 0x800f0988. I had already mentioned some of these errors in the March updates in the article Windows 10 V190x: Update KB4541335 causes issues.
Printer issues after update install
At askwoody.com, there is this comment from an anonymous reader pointing out printer problems. The cumulative update KB4549951 for Windows 10 version 1909 causes problems for printers with type 3 and type 4 printer drivers. The printers did not print or did not allow the printer settings to be changed. The printers did not print or did not allow you to change the printer settings, and then the printer driver had to be installed on the computer even though the drivers were installed on the computer. After you remove KB4549951 from the installed updates and restart the computer, the printers worked again.
Office security updates brick VBA code
The security updates that are listed in the article Patchday Microsoft Office Updates (14. April 2020) have an side effect that is described in the following tweet.
CVE-2020-0760 patch is out. This vulnerability breaks VBA code signing and allows RCE via malicious MS Office documents. The patch changes the way type libraries are handled. More information at https://t.co/rmHozG9ZbA. I submitted a talk with full details to @BlackHatEvents USA.
— Stan Hegt (@StanHacked) April 14, 2020
Any security updates intended to close vulnerability CVE-2020-0760 could cause references to type libraries in Visual Basic for Applications (VBA) to be blocked on affected systems and then errors to be reported. The background: All references to the following files can be blocked,
- Typelibs (*.olb, *.tlb, *.dll)
- Executable files (*.exe)
- ActiveX controls(*.ocx)
if they are located on Internet or intranet servers or if they are downloaded from the Internet. Microsoft has published this support article on this topic together with an FAQ. The workaround suggested by Microsoft in the article is to allow the reloading of 'untrusted' content in the Office security settings.
Similar articles:
Microsoft Office Patchday (April 7, 2020)
Microsoft Security Update Summary (April 14, 2020)
Patchday: Windows 10 Updates (April 14, 2020)
Patchday: Updates for Windows 7/8.1/Server (April 14, 2020)
Advertising
guenni
new batch of optional non-security updates available Tue April 21:
KB4550945 for 1903/1909
KB4550969 for 1809
KB4550944 for 1803 enterprise/education
KB4550947 for 1607 LTSB 2016 / Server 2016
KB4550958 preview rollup for Win8.1 / Server 2012 R2
KB4550960 preview rollup for Win8 Embedded / Server 2012
edit – KB4550945 update seems to have bugfixes for possible print problems