Welcome to the 2020s: Booby-trapped Office files, NSA tipping off Windows cert-spoofing bugs, RDP flaws...
Grab your Microsoft, Adobe, SAP, Intel, and VMware fixes now
Patch Tuesday In the first Patch Tuesday of the year, Microsoft finds itself joined by Adobe, Intel, VMware, and SAP in dropping scheduled security updates.
49 fixes from Microsoft
This month's Microsoft security fixes include three more remote-code-execution vulnerabilities in Redmond's Windows Remote Desktop Protocol software. Two of the flaws (CVE-2020-0609, CVE-2020-0610) are present on the server side in RD Gateway – requiring no authentication – while a third (CVE-2020-0611) is found on the client side.
Dustin Childs of the Trend Micro Zero Day Initiative notes that the two gateway flaws in particular are vulnerable to attacks.
"This code execution occurs at the level of the server and is pre-auth and without user interaction," Childs pointed out. "That means these bugs are wormable – at least between RDP Gateway Servers."
NSA very publicly reports a Windows bug
Also dropping this month is CVE-2020-0601, an unfortunate digital-certificate-spoofing vulnerability that has been heavily hyped over the past 24 hours by the NSA.
According to Microsoft, the vulnerability is present in the Windows Crypto API for Windows 10, Server 2016, and Server 2019. At its heart are blunders in checks performed on Elliptic Curve Cryptography certificates.
The end result is that miscreants can cryptographically sign malware using a spoofed certificate to make the code appear to come from a trusted application developer. Thus, folks may be tricked into installing spyware, ransomware, and other horrible stuff.
The NSA took things a step further, suggesting [PDF] the bug could not only be abused to disguise software nasties as legit apps, but also to potentially intercept secure network communications.
"NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable," the secretive body said. "The consequences of not patching the vulnerability are severe and widespread."
The four problems with the US government's latest rulebook on security bug disclosuresREAD MORE
Amid Uncle Sam's dire warnings, Microsoft said there is no evidence of the flaw being targeted in the wild and its severity level is listed as "important," a step below the critical remote code execution bugs in RDP, .NET (CVE-2020-0603, CVE-2020-0605, CVE-2020-0606, CVE-2020-0646) and Internet Explorer (CVE-2020-0640).
The American spying agency, though, wants everyone to know – to the point of even holding a press conference about CVE-2020-0601 – that it privately found and reported this diabolical cert flaw to Microsoft, and that it is a totally friendly mass-surveillance system that has turned a new leaf, wants to be on the good side of infosec researchers, and cares about your ongoing ability to verify the origin and integrity of executable files and network connections. And that it's happy for Microsoft to publicly thank the snoops for finding the flaw, which it did.
Meanwhile, there's another advisory here from the CMU CERT Coordination Center on the certificate fumble. As with all these holes, get it patched as soon as you can.
Moving on, there are the handful of remote-code-execution vulnerabilities in Office, programming screw-ups that can be exploited when the user opens a specially poisoned document file. Those include flaws in Excel (CVE-2020-0650, CVE-2020-0651, CVE-2020-0653) and one for Office in general (CVE-2020-0652).
Finally, this Patch Tuesday marks the last official mainstream release of security fixes for Windows 7 and Server 2008, which drop out of support today (plus or minus a few caveats).
Intel posts six advisories to start the year
There were half a dozen advisories released this month by Intel, including one for what Chipzilla considers a high-severity issue. That flaw, CVE-2019-14613, allows elevation of privilege by way of the VTune Amplifier for Windows software.
Intel also addressed an information disclosure flaw (CVE-2019-14615) in Processor Graphics, which we note affects Windows, Linux, and perhaps other operating systems; a denial of service bug (CVE-2019-14596) in Chipset Device Software INF Utility; and an elevation of privilege bug (CVE-2019-14601) in RAID Web Console 3 for Windows.
Admins will want to get in the habit of testing and installing all of the monthly Intel patches alongside those from Microsoft and other vendors.
VMware warns of EoP bug
While you're patching Windows, it would be wise to get the latest update for VMware Tools. That fix cleans up CVE-2020-3941, a race condition flaw that would potentially allow users to escalate their privileges within a Windows VM.
While not as serious as a full hypervisor escape bug, the flaw is worth patching. Alternatively, updating to VMware Tools 11.0.0 or later will also fix the bug.
Adobe starts off slow with just two January patches
This was a relatively light Patch Tuesday for Adobe, which emitted a pair of updates to address a total of nine CVE-listed bugs.
Of those, five were found in Adobe Illustrator CC for Windows. Each are memory corruption vulnerabilities that, if exploited, allow for arbitrary code execution. FortiGuard Labs researcher Honggang Ren was credited for all five discoveries.
The second patch was issued for Adobe Experience Manager. It cleans up four flaws, each allowing for information disclosure. Two of the bugs were credited to Lorenzo Pirondini, a front-end software engineer at Adobe specialists Netcentric.
SAP posts seven patches
This month saw SAP release six bug fixes and one update to an earlier notice.
Of those seven bulletins, the most serious concerns CVE-2020-6305, a cross-site scripting vulnerability in the Rest Adaptor for SAP Process Integration.
Other patches include a denial of service flaw in NetWeaver Internet Communication Manager (CVE-2020-6304), and a missing authorization check in Realtech RTCISM 100. ®