{"id":17708,"date":"2020-02-11T13:20:54","date_gmt":"2020-02-11T21:20:54","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2020\/02\/11\/news-11443\/"},"modified":"2020-02-11T13:20:54","modified_gmt":"2020-02-11T21:20:54","slug":"news-11443","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/02\/11\/news-11443\/","title":{"rendered":"February, 2020 Patch Tuesday brings a century of updates to Microsoft, Adobe products"},"content":{"rendered":"<p><strong>Credit to Author: SophosLabs Offensive Security| Date: Tue, 11 Feb 2020 20:50:22 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p>For this second Patch Tuesday of 2020, Microsoft has released a hundred patches to Windows and other Microsoft software, including 12 vulnerabilities flagged as Critical, and 87 flagged as Important. In addition, Adobe also published updates for its Flash Player, Acrobat, Framemaker, Experience Manager, and Digital Editions products in notifications timed to coincide with Microsoft&#8217;s publication.<\/p>\n<p><a href=\"https:\/\/portal.msrc.microsoft.com\/en-us\/security-guidance\/releasenotedetail\/2020-Feb\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft&#8217;s Security Update Guide<\/a>. will update itself as more information becomes available but the page list no fewer than 26 CVE records that address various vulnerabilities in Microsoft products. If that seems like a lot, Adobe&#8217;s list (published on their <a href=\"https:\/\/helpx.adobe.com\/security.html\" target=\"_blank\" rel=\"noopener noreferrer\">Security Bulletins and Updates<\/a> page) lists <a href=\"https:\/\/helpx.adobe.com\/security\/products\/acrobat\/apsb20-05.html\" target=\"_blank\" rel=\"noopener noreferrer\">17 CVEs just for the Acrobat<\/a> product lines, 12 of which are rated a critical fix.\u00a0 Any way you cut it, February may be a short month but it&#8217;s one of the largest for updates we&#8217;ve seen.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-64130\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2020\/02\/by-product_v2.png\" alt=\"\" width=\"640\" height=\"465\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2020\/02\/by-product_v2.png 770w, https:\/\/news.sophos.com\/wp-content\/uploads\/2020\/02\/by-product_v2.png?resize=300,218 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2020\/02\/by-product_v2.png?resize=768,558 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/> As always, you can manually download the update rollup specific to your supported Windows system from the <a href=\"https:\/\/www.catalog.update.microsoft.com\/Search.aspx?q=2020-02\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft Update Catalog<\/a> website.<\/p>\n<p>On Windows, the most critical components requiring attention are:<\/p>\n<ul>\n<li>Windows Kernel<\/li>\n<li>Windows Remote Desktop Protocol (RDP)<\/li>\n<li>Scripting Engine<\/li>\n<li>Windows Media Foundation<\/li>\n<li>Windows Backup Service<\/li>\n<\/ul>\n<p>Some particular attention should be drawn to <a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-0674\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-0674 (Scripting Engine Memory Corruption Vulnerability)<\/a> as its exploitation has been detected in the wild.<\/p>\n<p>Additionally, the February Patch Tuesday addresses many critical vulnerabilities, which have not (yet) been spotted as actively exploited, but may be in a near future, including:<\/p>\n<p><a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-0662\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-0662<\/a>: Windows Remote Code Execution Vulnerability<\/p>\n<p><a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-0681\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-0681<\/a>: Remote Desktop Client Remote Code Execution Vulnerability<\/p>\n<p><a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-0734\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-0734<\/a>: Remote Desktop Client Remote Code Execution Vulnerability<\/p>\n<p><a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-0729\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-0729<\/a>: LNK Remote Code Execution Vulnerability<\/p>\n<p><a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-0738\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-0738<\/a>: Media Foundation Memory Corruption Vulnerability<\/p>\n<p><a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-0673\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-0673<\/a>: Scripting Engine Memory Corruption Vulnerability<\/p>\n<p><a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-0710\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-0710<\/a>: Scripting Engine Memory Corruption Vulnerability<\/p>\n<p><a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-0711\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-0711<\/a>: Scripting Engine Memory Corruption Vulnerability<\/p>\n<p><a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-0712\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-0712<\/a>: Scripting Engine Memory Corruption Vulnerability<\/p>\n<p><a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-0713\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-0713<\/a>: Scripting Engine Memory Corruption Vulnerability<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-64132\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2020\/02\/by-severity_v2.png\" alt=\"\" width=\"344\" height=\"345\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2020\/02\/by-severity_v2.png 482w, https:\/\/news.sophos.com\/wp-content\/uploads\/2020\/02\/by-severity_v2.png?resize=150,150 150w, https:\/\/news.sophos.com\/wp-content\/uploads\/2020\/02\/by-severity_v2.png?resize=300,300 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2020\/02\/by-severity_v2.png?resize=32,32 32w, https:\/\/news.sophos.com\/wp-content\/uploads\/2020\/02\/by-severity_v2.png?resize=50,50 50w, https:\/\/news.sophos.com\/wp-content\/uploads\/2020\/02\/by-severity_v2.png?resize=64,64 64w, https:\/\/news.sophos.com\/wp-content\/uploads\/2020\/02\/by-severity_v2.png?resize=96,96 96w, https:\/\/news.sophos.com\/wp-content\/uploads\/2020\/02\/by-severity_v2.png?resize=128,128 128w\" sizes=\"auto, (max-width: 344px) 100vw, 344px\" \/><\/p>\n<p>SophosLabs has broken down the content of the February 2020 edition of Patch Tuesday as follows:<\/p>\n<h3>LNK vulnerability<\/h3>\n<h4>CVE-2020-0729<\/h4>\n<p>One of the most interesting vulnerabilities of this month is CVE-2020-0729: LNK Remote Code Execution Vulnerability. The LNK file type is <a href=\"https:\/\/docs.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-shllink\/16cb4ca1-9339-4d0c-a68d-bf1d6cc0f943\" target=\"_blank\" rel=\"noopener noreferrer\">a [publicly documented] binary format<\/a>. Unlike Linux which uses Symbolic Links to create shortcuts, Windows relies on this LNK format (although Windows also <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/fileio\/symbolic-links\" target=\"_blank\" rel=\"noopener noreferrer\">supports and uses Symbolic Links<\/a>, via NTFS). As a binary format, it requires the operating system to parse the contents, which can introduce vulnerabilities, as has happened in the past (<a href=\"https:\/\/www.cvedetails.com\/cve\/CVE-2017-8464\/\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2017-8464<\/a> or <a href=\"https:\/\/www.cvedetails.com\/cve\/CVE-2015-0096\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2015-0096<\/a>). Little information was communicated from Microsoft, except that <a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-0729\" target=\"_blank\" rel=\"noopener noreferrer\">a succesful exploitation of this new vulnerability<\/a> (CVE-2020-0729) would lead to a code execution, possibly remotely. That is probably why Microsoft decided to classify this vulnerability as &#8220;Critical.&#8221;<\/p>\n<h3>Scripting Engine<\/h3>\n<h4>CVE-2019-1451, CVE-2020-0673, CVE-2020-0674, CVE-2020-0710,<\/h4>\n<h4>CVE-2020-0711, CVE-2020-0712, CVE-2020-0713<\/h4>\n<p>Several Remote Code Execution (RCE) vulnerabilities were discovered and patched this month. Even though those vulnerabilities would not immediately be linked to a full system compromise, their successful exploitation would give an attacker a foothold onto a targeted computer, with associated privileges, allowing further horizontal or vertical escalation.<\/p>\n<p>CVE-2020-0674 is the one other vulnerability that stands out this month, mostly because <a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-0674\" target=\"_blank\" rel=\"noopener noreferrer\">it has been found exploited in the wild<\/a>, so its exploitation is not merely theoretical. Therefore SophosLabs urges to apply immediately the available patches to avoid being compromised by any of those vulnerabilities.<\/p>\n<h3>RDP service and client<\/h3>\n<h4>CVE-2020-0655,CVE-2020-0660,CVE-2020-0681, CVE-2020-0734<\/h4>\n<p>This month again, RDP happens to be a target of choice, where 4 vulnerabilities were fixed in several components:<\/p>\n<p>&#8211; Remote Desktop Service: CVE-2020-0655<\/p>\n<p>&#8211; Remote Desktop Client: CVE-2020-0681, CVE-2020-0734<\/p>\n<p>Interestingly some vulnerabilities in the RDP components are related to a incorrect packet parsing when a connection is performed via UDP (CVE-2020-0681), as it was the case last month for CVE-2020-0609 and CVE-2020-0610, which also stemmed from an incorrectly validation of UDP packets.<\/p>\n<p>Aside of the RCE bugs mentioned above, a DoS issue was also patched (CVE-2020-0660).<\/p>\n<h3>Windows Kernel\u00a0Win32k component<\/h3>\n<h4>CVE-2020-0691, CVE-2020-0716, CVE-2020-0717, CVE-2020-0719,<\/h4>\n<h4>CVE-2020-0720, CVE-2020-0721, CVE-2020-0722, CVE-2020-0723,<\/h4>\n<h4>CVE-2020-0724, CVE-2020-0725, CVE-2020-0726, CVE-2020-0731,<\/h4>\n<h4>CVE-2020-0714, CVE-2020-0709, CVE-2020-0792<\/h4>\n<p>&nbsp;<\/p>\n<p>Several memory corruption vulnerabilities have been discovered and patched by Microsoft, in Win32k and DirectX kernel components. Although those vulnerabilities vary by their nature (Use after Free, buffer overflow), their successful exploitation would allow an attacker to locally elevate their privilege; or in the case of a remote scenario (and coupled with (at least) a browser exploit) such vulnerabilities could be triggered remote and allow a browser sandbox escape, giving full control to the attacker and so entirely remotely.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-64131\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2020\/02\/by-impact_v2.png\" alt=\"\" width=\"640\" height=\"440\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2020\/02\/by-impact_v2.png 814w, https:\/\/news.sophos.com\/wp-content\/uploads\/2020\/02\/by-impact_v2.png?resize=300,206 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2020\/02\/by-impact_v2.png?resize=768,528 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/p>\n<h3>How is Sophos responding to these threats?<\/h3>\n<p>Here is a list of protection released by SophosLabs in response to this advisory to complement any existing protection and generic exploit mitigation capabilities in our products.<\/p>\n<h4><\/h4>\n<h4>Additional IPS Signatures<\/h4>\n<div class=\"table-wrap\">\n<table class=\"wrapped relative-table confluenceTable\">\n<colgroup>\n<col \/>\n<col \/><\/colgroup>\n<tbody>\n<tr>\n<td class=\"highlight-grey confluenceTd\" title=\"Background colour : Grey\" data-highlight-colour=\"grey\">\n<p title=\"\"><strong>CVE<\/strong><\/p>\n<\/td>\n<td class=\"highlight-grey confluenceTd\" title=\"Background colour : Grey\" data-highlight-colour=\"grey\">\n<p title=\"\"><strong>SID<\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td class=\"confluenceTd\">CVE-2020-0658<\/td>\n<td class=\"confluenceTd\">2301474<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<h3><\/h3>\n<h3>How long does it take to have Sophos detection in place?<\/h3>\n<p>We aim to add detection to critical issues based on the type and nature of the vulnerabilities as soon as possible. In many cases, existing detections will catch exploit attempts without the need for updates.<\/p>\n<h3>What if the vulnerability\/0-day you\u2019re looking for is not listed here?<\/h3>\n<p>If we haven\u2019t released an update for a specific exploit, the most likely reason is that we did not receive the data that shows how the exploit works in the real world. As many of this month\u2019s exploits were crafted in a lab and have not been seen in the wild, nobody has enough information (yet) about how criminals would, hypothetically, exploit any given vulnerability. If or when we receive information about real attacks, we will create new detections, as needed.<\/p>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/sophos\/dgdY\/~3\/zpsWY9HeJhU\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2020\/02\/by-product_v2.png\"\/><\/p>\n<p><strong>Credit to Author: SophosLabs Offensive Security| Date: Tue, 11 Feb 2020 20:50:22 +0000<\/strong><\/p>\n<p>For this second Patch Tuesday of 2020, Microsoft has released a hundred patches to Windows and other Microsoft software, including 12 vulnerabilities flagged as Critical, and 87 flagged as Important. In addition, Adobe also published updates for its Flash Player, Acrobat, Framemaker, Experience Manager, and Digital Editions products in notifications timed to coincide with Microsoft&amp;#8217;s [&amp;#8230;]&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/sophos\/dgdY\/~4\/zpsWY9HeJhU&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[19244,11414,11739,10516,19245,18513,10525],"class_list":["post-17708","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-acrobat","tag-adobe","tag-flash","tag-microsoft","tag-patch-tuesday","tag-sophoslabs-uncut","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17708","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17708"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17708\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17708"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17708"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17708"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}