April 2020 Monthly Patch Release

Published on 15 Apr 2020

Updated on 15 Apr 2020

Microsoft has released security patches to address multiple vulnerabilities in their software and products.

Vulnerabilities that have been classified as Critical in severity are listed in the table below.

For the full list of security patches released by Microsoft, please visit https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Apr

ZERO DAY VULNERABILITIES
CVE Number Description Base Score Reference
CVE-2020-0938

A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.

For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or view it in the Windows Preview pane.

The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts.

This vulnerability has been known to be exploited in the wild.

7.8 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938
CVE-2020-1020

A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.

For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or view it in the Windows Preview pane.

The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts.

This vulnerability has been publicly disclosed and known to be exploited in the wild.

7.8 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020
CVE-2020-0935

An elevation of privilege vulnerability exists when the OneDrive for Windows Desktop application improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

The update addresses this vulnerability by correcting how OneDrive handles symbolic links.

This vulnerability has been publicly disclosed.

To be confirmed (TBC) https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0935


CRITICAL VULNERABILITIES
CVE Number Description Base Score Reference
CVE-2020-0687

A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

There are multiple ways an attacker could exploit the vulnerability:

  • In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or instant message that takes users to the attacker's website, or by opening an attachment sent through email.
  • In a file-sharing attack scenario, an attacker could provide a specially crafted document file designed to exploit the vulnerability and then convince users to open the document file.

The security update addresses the vulnerability by correcting how the Windows font library handles embedded fonts.

8.8 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0687
CVE-2020-0910

A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.

The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input.

8.4 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0910
CVE-2020-0965

A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code.

Exploitation of the vulnerability requires that a program process a specially crafted image file.

The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory.

7.8 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0965
CVE-2020-0907

A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system.

To exploit the vulnerability, a user would have to open a specially crafted file.

The security update addresses the vulnerability by correcting how Microsoft Graphics Components handle objects in memory.

7.8 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0907
CVE-2020-0950

A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights.

There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage.

The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.

7.8 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0950
CVE-2020-0949

A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights.

There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage.

The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.

7.8 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0949
CVE-2020-0948

A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights.

There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage.

The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.

7.8 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0948
CVE-2020-0970

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The security update addresses the vulnerability by modifying how the ChakraCore scripting engine handles objects in memory.

4.2 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0970
CVE-2020-0969

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based). The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge (HTML-based) and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory.

4.2 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0969
CVE-2020-0974

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.

Exploitation of this vulnerability requires that users upload a specially crafted SharePoint application package to an affected version of SharePoint.

The security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages.

TBD https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0974
CVE-2020-0932

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.

Exploitation of this vulnerability requires that users upload a specially crafted SharePoint application package to an affected version of SharePoint.

The security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages.

TBD https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0932
CVE-2020-0931

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.

Exploitation of this vulnerability requires that users upload a specially crafted SharePoint application package to an affected version of SharePoint.

The security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages.

TBD https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0931
CVE-2020-0929

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.

Exploitation of this vulnerability requires that users upload a specially crafted SharePoint application package to an affected version of SharePoint.

The security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages.

TBD https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0929
CVE-2020-1022

A remote code execution vulnerability exists in Microsoft Dynamics Business Central. An attacker who successfully exploited this vulnerability could execute arbitrary shell commands on victim's server.

To exploit the vulnerability, an authenticated attacker needs to convince the victim into connecting to a malicious Dynamics Business Central client or elevate permission to system to perform the code execution.

The security update addresses the vulnerability by preventing the possibility of using a binary type that could eventually execute code on the victim’s server.

TBD https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1022