April 2020 Patchday: Review and issues

Windows Update[German]On April 14, 2020 a series of security updates for Windows, Office etc. were released. These partially close 0-day vulnerabilities, but there is also collateral damage. For example, VBA code signing no longer works after installing the Office security updates. Here is an overview of what I have seen so far.


Advertising

I had already published details about the respective updates in the blog posts linked at the end of the article. This is about critical vulnerabilities and problems caused by the updates.

Vulnerabilities attacked in the wild

The Zero-Day Initiative (ZDI) has published an overview of all vulnerabilities addressed by Microsoft via update in this article. Here is the list of the attacked vulnerabilities.

Vulnerability CVE-2020-1020

CVE-2020-1020 is the Adobe Font Manager Type Library Remote Code Execution vulnerability in Windows 7, already known in March 2020, which could be exploited by an attacker to execute their code on affected systems (with the privileges of the user). To do this, the user must view a document with a specially crafted font. Only customers with an ESU license will receive the patch for Windows 7 and Server 2008. However, alternatives are BypassESU and 0patch, which close this vulnerability even without an ESU license (see also Patchday: Updates for Windows 7/8.1/Server (April 14, 2020) and 0patch fixes 0-day Adobe Type Library bug in Windows 7).

Vulnerability CVE-2020-0938

CVE-2020-0938 is an OpenType font parsing remote code execution vulnerability. This bug is related to the previous vulnerability CVE-2020-1020, although it affects a different font renderer. There are also active attacks listed here. Again, an attacker could execute his code on a target system if a user viewed a specially crafted font. We should also note that Windows 10 systems are less affected by these flaws because the code would be executed in an AppContainer sandbox. Win7 users also need an ESU license for this patch.

But here is a problem: So far there seems to be no patch from Microsoft for the vulnerability. Windows 7 users would need an ESU license for this patch. Only 0patch has a micro-patch for Windows 7 that prevents the exploitation of the vulnerability.

Vulnerability CVE-2020-0993

CVE-2020-0993 is a Windows DNS Denial of Service vulnerability. A patch released by Microsoft fixes a Denial of Service (DoS) error in the Windows DNS service. Note that this is the DNS service and not the DNS server, so client systems are also affected by this vulnerability. An attacker could cause the DNS service not to respond by sending some specially crafted DNS queries to an affected system. Since this is not code execution, only this is considered important. However, given the damage that could be caused by an unauthenticated attacker, this should be at the top of the test and deployment list.


Advertising

Vulnerability CVE-2020-0981

CVE-2020-0981 is a Windows Token Security Feature Bypass vulnerability. This vulnerability allows you to escape from a sandbox. The vulnerability results from improper handling of token relationships by Windows. Attackers could exploit this to allow an application with a certain integrity level to execute code at another – presumably higher – integrity level. This only affects Windows 10 version 1903 and higher and has been patched by an update.

Miscellaneous

The following tweet takes up a discussion of the number of 0-day vulnerabilities patched in April 2020.

There is also this post on askwoody.com that deals with the number of 0-day vulnerabilities that are exploited.

By the way, the Microsoft Malicious Software Removal Tool was not updated in April 2020 – see also this comment.

Issues with the April 2020 updates

The security updates of April 14, 2020 lead to installation aborts and subsequent errors for some users.

Temporary user profile

Some users, like here,  run into the problem that updates like KB4549951 corrupt the user profile, so that the user is logged on to a temporary user profile after installation. I had already addressed this issue in the article Windows 10: Update KB4532693 kills user data/profile and other blog posts.

Various installation errors

Some users cannot install the update because the process terminates with an installation error. In this comment, update KB4549951 (Windows 10 version 1909) reports the error 0x800f0988. I had already mentioned some of these errors in the March updates in the article Windows 10 V190x: Update KB4541335 causes issues.

Printer issues after update install

At askwoody.com, there is this comment from an anonymous reader pointing out printer problems. The cumulative update KB4549951 for Windows 10 version 1909 causes problems for printers with type 3 and type 4 printer drivers. The printers did not print or did not allow the printer settings to be changed. The printers did not print or did not allow you to change the printer settings, and then the printer driver had to be installed on the computer even though the drivers were installed on the computer. After you remove KB4549951 from the installed updates and restart the computer, the printers worked again.

Office security updates brick VBA code

The security updates that are listed in the article Patchday Microsoft Office Updates (14. April 2020) have an side effect that is described in the following tweet.

Any security updates intended to close vulnerability CVE-2020-0760 could cause references to type libraries in Visual Basic for Applications (VBA) to be blocked on affected systems and then errors to be reported. The background: All references to the following files can be blocked,

  • Typelibs (*.olb, *.tlb, *.dll)
  • Executable files (*.exe)
  • ActiveX controls(*.ocx)

if they are located on Internet or intranet servers or if they are downloaded from the Internet. Microsoft has published this support article on this topic together with an FAQ. The workaround suggested by Microsoft in the article is to allow the reloading of ‘untrusted’ content in the Office security settings.

Similar articles:
Microsoft Office Patchday (April 7, 2020)
Microsoft Security Update Summary (April 14, 2020)
Patchday: Windows 10 Updates (April 14, 2020)
Patchday: Updates for Windows 7/8.1/Server (April 14, 2020)


Advertising


This entry was posted in issue, Windows and tagged , , , , . Bookmark the permalink.

1 Response to April 2020 Patchday: Review and issues

  1. EP says:

    guenni

    new batch of optional non-security updates available Tue April 21:

    KB4550945 for 1903/1909
    KB4550969 for 1809
    KB4550944 for 1803 enterprise/education
    KB4550947 for 1607 LTSB 2016 / Server 2016
    KB4550958 preview rollup for Win8.1 / Server 2012 R2
    KB4550960 preview rollup for Win8 Embedded / Server 2012

    edit – KB4550945 update seems to have bugfixes for possible print problems

Leave a Reply

Your email address will not be published. Required fields are marked *