For the April edition of Patch Tuesday, Microsoft repaired a total of 110 security vulnerabilities across their product line. Included in this count are 37 remote code execution bugs, and 33 elevation of privilege bugs. The company rated eighteen of the vulnerabilities “Critical.”
This release’s most notable item is the follow-up to last month’s announcement, “Cybercriminals are exploiting two unpatched zero-day flaws affecting all supported versions of Windows“. At the time, the company advised a workaround for mitigating the risk. Today, the fix for the two vulnerabilities went live.
Here are the patch highlights:
Adobe Font Manager Library Remote Code Execution
Two font vulnerabilities are present in the handling of the old and obsolete Type 1 (PostScript) font standard that makes use of file extensions .PFB and .PFM.
If an attacker is able to manipulate an unpatched Windows system into handling and displaying a malicious Type 1 font file (crafted by the attacker), the bugs could be exploited to compromise the system.
On Windows versions prior to Windows 10, the code responsible for handling fonts is running in high-privileged kernel mode. This makes the impact much more severe on older editions, such as (the now unsupported) Windows 7, or Windows 8.1 – the bugs can be used to perform an elevation of privilege attack, in addition to remote code execution.
Thankfully, on Windows 10 systems the same code has been moved to be running in a low-privileged, sandboxed user mode process. This hardening measure limits the bugs’ usefulness for elevation of privilege attacks. However, they still expose the system to a remote code execution scenario.
Normally, an attacker can take advantage of a font vulnerability to achieve remote code execution by enticing a victim to open a web page or document that has the malicious font embedded in them.
In the case of web pages, the “CSS Web fonts” feature can be used for embedding. Office documents and PDF documents also have support for embedding fonts in them.
Fortunately, due to the Type 1 font standard falling from favor, and being replaced by the newer TrueType and OpenType standards, many software do not support the embedding of Type 1 fonts. This is true for example in web browsers and Office software, so it can be said that the remote code execution attack scope for Type 1 bugs is somewhat limited in comparison to bugs affecting TrueType fonts.
Windows Elevation of Privilege Vulnerabilities
Elevation of Privilege (EoP) vulnerabilities could permit an attacker with limited access to a Windows system to gain more control over it, typically allowing for “escaping” a low integrity or sandboxed process by exploiting such a vulnerability, and subsequently gaining unlimited permissions to the system.
This month’s EoP bugs affect an assortment of Windows components, among them: Win32k (Graphics), Push Notification Service, DirectX, and amusingly enough, two of the bugs were discovered in Windows Defender – the built-in anti-malware component of Windows.
SharePoint Remote Code Execution Vulnerability
CVE-2020-0920, CVE-2020-0929, CVE-2020-0931, CVE-2020-0932, CVE-2020-0971, CVE-2020-0974
Out of a total of 20(!) different bugs affecting SharePoint, 6 are classified Remote Code Execution.
SharePoint is a web-based collaborative platform. It is almost always used by organizations, not individuals. There wasn’t any detailed technical information about any of the bugs that were found, so it’s unclear whether these bugs affect users of SharePoint Server or SharePoint Online (or both).
However from the sheer amount of fixes being deployed for this product, it’s safe to assume the bugs as a whole constitute a high risk of compromise, and therefore this month’s patch is definitely not something to disregard if you use SharePoint.
Sophos detection guidance
Sophos has released following detection to address the following vulnerabilities. Please note that this is not an exhaustive list of protection measures Sophos has implemented, and that additional vulnerabilities and corresponding detection may be released in the future.