(Editor’s note: This article was updated on May 13, 2020 to include additional detections in the table at the end of the post.)
In what has become a tradition, the second Tuesday of every month Microsoft releases security updates to Windows and other products. This month’s release fixes a total of 114 vulnerabilities, among which 17 are classified as Critical, and 93 as Important.
Adobe usually times its updates to coincide with Microsoft, and this month release saw 21 bugs patched, all in their Acrobat Reader. With a criticality set as “Important,” all the bugs fixed classify as memory corruption vulnerabilities (null pointer, out-of-bound read, use-after-free) which can potentially lead to code execution on this victim’s host simply by opening a PDF document.
SophosLabs has investigated some of the more interesting vulnerabilities Microsoft fixed this month. Here are some highlights.
Windows Graphic Components
The graphic layers of Windows span many complex technologies, and therefore make up a huge attack surface. Attackers frequently look at these subsystems for vulnerabilities. This month, Microsoft fixed a total of 10 vulnerabilities affecting these core components, with risks going from simple kernel information leaks, up to local Elevation of Privilege (EoP).
One of the EoP vulnerabilities that stands out the most this month is CVE-2020-1054. This bug describes an out-of-bound write found in the syscall win32k!NtDrawIconEx, which is responsible for drawing an icon into a specific handle of device context (HDC). Due to its very nature, any unprivileged Win32 application can invoke such a syscall, and therefore potentially elevate to SYSTEM.
In any case, one must bear in mind that, in order to be exploited, those bugs require access to a Windows graphical session, and also need to be able to execute code.
Web Browser memory corruption
If successfully exploited, these vulns could allow a remote attacker to execute code on the targeted host with the current user’s privilege simply by exposing a carefully crafted web page and either wait for a victim (or forcing them) to visit the page though XSS, CSRF, or OpenRedirect web vulnerabilities—or even through social engineering tricks.
Several vulnerabilities were also found in Internet Explorer 11 and VB scripting engine. Such vulnerabilities could also be exploited successfully as they rely on old (in some cases, unsupported) technologies, and cannot benefit from the protections modern browsers offer users.
CVE-2020-1084, CVE-2020-1123, CVE-2020-1137, CVE-2020-1081
Windows services are a great avenue for bugs, particularly (but not only) filesystem bugs – most notably by abusing symbolic links and junctions. As they require high privileges to run, successful exploitation of Windows services usually result in privilege escalation.
This month, Microsoft issued fixes for Windows services, such as:
- Connected User Experiences and Telemetry Service
- Background Intelligent Transfer Service (BITS)
- Push Notifications
have also been targeted, and their vulnerabilities fixed in the April, 2020 Patch Tuesday. Many more bugs in Windows services were fixed this month, any of which could have potentially resulted in EoP. However, the company provided us with no technical details.
Although no vulnerability was reported as exploited in the wild, many vulnerabilities are rated as very likely to be exploited. Therefore, the simple precaution principle would dictate to patch as soon as possible, which is, regardless of any other layer of protection, always the best remediation.
How is Sophos responding to these threats?
Here is a list of protection released by SophosLabs in response to this advisory to complement any existing protection and generic exploit mitigation capabilities in our products.
How long does it take to have Sophos detection in place?
We aim to add detection to critical issues based on the type and nature of the vulnerabilities as soon as possible. In many cases, existing detections will catch exploit attempts without the need for updates.
What if the vulnerability/0-day you’re looking for is not listed here?
If we haven’t released an update for a specific exploit, the most likely reason is that we did not receive the data that shows how the exploit works in the real world. As many of this month’s exploits were crafted in a lab and have not been seen in the wild, nobody has enough information (yet) about how criminals would, hypothetically, exploit any given vulnerability. If or when we receive information about real attacks, we will create new detections, as needed.