January 2020 Patch Tuesday delivers fixes for 50 bugs

For the first edition of Patch Tuesday for 2020, Microsoft is fixing a total of 50 security vulnerabilities, 8 of them rated “Critical.” None of the vulnerabilities were reported as being exploited in the wild.

This month also marks the End-of-Life for Windows 7 support – meaning that, from now on, no security updates will be issued on Patch Tuesdays for Windows 7 systems. Needless to say, this puts Windows 7 users at high risk of compromise, at a rate which will only increases as time goes on and unfixed vulnerabilities pile up. The long-overdue upgrade to Windows 10 is highly recommended.

Here’s the patch highlights:

Crypt32.dll fix for digitally signed applications

The crypt32.dll component of Windows is a key piece of the operating system’s immune response: applications and the operating system use this DLL to verify and manage cryptographic digital signatures in applications, among other things. Windows and security tools can use digital signatures to validate whether an application is allowed to run, based on whether the application legitimately originated from the company that created it, as well as to encrypt or decrypt files or messages.

Sophos did not receive any information in advance about the vulnerability Microsoft fixed, but it’s been alleged that the DLL could be abused in such a way that an attacker could spoof the cryptographic certificate used to sign software. If that was the case, the operating system would have no way to tell whether any given application is allowed to run, in the kinds of highly-regulated environments where those certificates are used to “whitelist” applications, and prevent any others from running. According to reporting by Brian Krebs, the bug affects Windows 10 and Windows Server 2016, and was reported to Microsoft by the NSA. This will be the first Patch Tuesday in which Microsoft announces that a Windows bug was reported to them by the normally secretive agency.

While we currently have a research team member reverse-engineering the patch to retroactively figure out what has changed and how it might affect users, we don’t yet know the full nature or scale of the vulnerability. We’ll update SophosLabs Uncut with that information as we obtain it.

Remote Desktop Protocol

Keeping with the trend of vulnerabilities being found and fixed in RDP related software, possibly sparked by last year’s high-profile scare around BlueKeep, this month we are getting 5 bugs fixed in different RDP components:
Remote Desktop Gateway Server – CVE-2020-0609, CVE-2020-0610, CVE-2020-0612
Remote Desktop Web Access – CVE-2020-0637
Remote Desktop Client – CVE-2020-0611

The Remote Desktop Gateway and Web Access services can only be found on Windows Server systems, while the Remote Desktop Client should be present on all Windows editions.

Windows Search Indexer

As an apparent result of a concentrated effort to uncover bugs in the Windows Search Indexer service, a total of 12 security bugs were discovered in this subsystem and subsequently fixed by Microsoft. These bugs fall under the Elevation of Privilege classification.

An attacker with limited access to a system may exploit this type of vulnerabilities to gain more control over an affected system.
In this case, an attacker with non-admin access to the system may exploit these bugs to elevate his privilege level to that of the Search Indexer service – NT AUTHORITY\SYSTEM.

Web Browsers

In sharp contrast to the usual fair amount of browser-related bugs that get fixed on a Patch Tuesday, only a single one is being addressed this month: CVE-2020-0640, Memory corruption in Internet Explorer.

We would like to use the stage of this uneventful browser section to spread the news about the launch of Edge Chromium.

Edge Chromium is an evolution of the Microsoft Edge browser, replacing the software engines it was based on from the original Microsoft-made ones, to those of Google Chrome’s. This month’s patch will automatically deploy this new version of Edge in place of the old one, on Windows Home and Pro editions.

Security-wise, this should be a considerable improvement as it is empirically evident that the Microsoft engines were more vulnerability-prone.

Sophos detection guidance

Sophos has released following detection to detect exploits against the “Windows Common Log File System Driver Elevation of Privilege Vulnerability,” patched today. Please note that additional vulnerabilities and corresponding detection may be released in the future. We will update this post if that is the case.

Additional IPS signatures released

How long does it take to have Sophos detection in place?

We aim to add detection to critical issues based on the type and nature of the vulnerabilities as soon as possible. Please note that some detection might not be available due to the availability of the data.