The February 2020 Security Update Review

February is here, and with it comes some significant security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for February 2020

The Adobe release for February includes five bulletins addressing a total of 42 CVEs in Framemaker, Experience Manager, Adobe Digital Editions, Flash, and Acrobat and Reader. The update for Framemaker fixes 21 Critical-rated bugs, all of which were submitted through the ZDI program. The vast majority of these are Out-of-Bounds (OOB) write bugs that could lead to code execution. The update for Adobe Acrobat and Reader fixes 17 CVEs – seven of which are Use-After-Free (UAF) bugs. The worst of these bugs could allow an attacker to execute code on an affected system if they opened a specially crafted file. The Flash update fixes a single type confusion bug that could allow code execution at the level of the logged-on user. The patch for Adobe Digital Editions fixes two CVEs, one of which is a command injection bug that could allow code execution. The final patch from Adobe for February corrects a single Denial-of-Service (DoS) bug in the Experience Manager. None of these bugs are listed as publicly known or under active attack at the time of release.

We should also mention that Adobe released a patch for their Magento Commerce platform in late January to correct six CVEs. Adobe acquired Magento last May for $1.68 billion USD, and this appears to be the first patch released for the platform since the acquisition. None of these Critical- and Important-rated bugs are listed as publicly known or under active attack. What isn’t clear is if patches for Magento will eventually be included in the regular Patch Tuesday release or if they will be released outside of the standard schedule.

Microsoft Patches for February 2020

For February, Microsoft released patches for a whopping 99 CVEs covering Microsoft Windows, Edge (EdgeHTML-based), ChakraCore, Internet Explorer (IE), SQL Server, Exchange Server, Office and Office Services and Web Apps, Azure DevOps Server, Team Foundation Server, and the Microsoft Malware Protection Engine. Of the 99 CVEs, 12 are listed as Critical while the remaining 87 are listed as Important in severity. Three of these vulnerabilities were reported through the ZDI program. According to Microsoft, five of these bugs are publicly known and one is currently under active attack.

Let’s take a closer look at some of the more interesting updates for this month, starting with the bug reported to be under active attack since mid-January:

-       CVE-2020-0674 – Scripting Engine Memory Corruption Vulnerability
This browser bug impacts IE and the other programs that rely on the Trident rendering engine. Microsoft first warned users of this bug back on January 17. Attackers can execute code on affected systems if a user browses to a specially crafted website. Even if you don’t use IE, you could still be affected by this bug though embedded objects in Office documents. Considering the listed workaround – disabling jscript.dll – breaks a fair amount of functionality, you should prioritize the testing and deployment of this patch.

-       CVE-2020-0688 – Microsoft Exchange Memory Corruption Vulnerability
This code execution bug in Exchange is only listed as Important, but you should treat it as a Critical-rated vulnerability. An attacker could gain code execution on affected Exchange servers by sending a specially crafted e-mail. No other user interaction is required. The code execution occurs at System-level permissions, so the attacker could completely take control of an Exchange server through a single e-mail. This bug was reported through our program, and we’ll publish details about it in the near future.

-       CVE-2020-0729 – LNK Remote Code Execution Vulnerability
Bugs impacting link files (.LNK) never fail to amaze me. If .LNK vulnerabilities ring a bell, that’s likely due to one being used in the Stuxnet malware that remained one of the most widely exploited software flaws for years to come. This bug is similar. An attacker could use this vulnerability to get code execution by having an affected system process a specially crafted .LNK file. This could be done by convincing a user to open a remote share, or – as has been seen in the past – placing the .LNK file on a USB drive and having the user open it. It’s a handy way to exploit an air-gapped system.

-       CVE-2020-0689 – Microsoft Secure Boot Security Feature Bypass Vulnerability
This security feature bypass bug could allow attackers to circumvent the Secure Boot feature and load untrusted software on an affected system. This is one of the publicly known bugs being patched this month. While this is certainly a bug to scrutinize, it’s compounded by a non-standard patching process. This month’s servicing stack must first be applied, then additional standalone security updates need to be installed. If you have the Windows Defender Credential Guard (Virtual Secure Mode) enabled, you’ll need to go through two additional reboots as well. All this is needed to block impacted third-party bootloaders.

Here’s the full list of CVEs released by Microsoft for February 2020.

Of the remaining Critical-rated patches, CVE-2020-0662 stands out the most. This Windows bug could allow an attacker to execute their code on an affected system with elevated permissions. Microsoft does not provide details on which specific elevated level, but any code execution is troubling. It does appear that the attacker would need to be domain authenticated to exploit this bug, but no other mitigations are listed. Please note: Microsoft revised this bulletin post-publication to indicate the bug actually resides in the Internet Connection Sharing (ICS) service. An attacker who sends specially crafted packets to an affected DHCP server. If you are running DHCP, you show definitely prioritize the testing and deployment of this patch.

The Media Foundation component also has code execution bug patched, although that one occurs at the logged-on user level. The Remote Desktop Client receives a couple of patches. Since these are client side, they aren’t wormable a la Bluekeep. The Remote Desktop Service receives a patch for a code execution bug, but an attacker would need to be authenticated to abuse clipboard redirection. This also keeps this bug from being in the wormable category. The Critical-rated patches are rounded out by a half-dozen more patches for IE, but these are not listed as being under active attack at the time of release.

Looking at the Important-rated patches, the volume of Elevation of Privilege (EoP) bugs being patched is somewhat staggering with 55 patches target these privilege escalation bugs. A large portion of these patches impact either the kernel or kernel-mode drivers. Other impacted components include the Error Reporting service, the Installer service, the Client License service, and the Connected Devices Platform service. Even the Malicious Software Removal Tool (MSRT) gets an EoP patch this month. Another interesting EoP affects the SSH component and how it handles Secure Socket Shell remote commands. Two of the EoP bugs in the Windows Installer service are listed as publicly known. In almost every case, an attacker would need to log on to an affected system and run a specially crafted program to elevate permissions.

Information disclosure bugs receive their fair share of attention with 16 patches in February, including the final publicly known bug impacting IE and Edge. Six of these bugs occur in the Cryptography Next Generation (CNG) portion of the Windows Key Isolation service. An attacker that took advantage of these bugs could collect data about the memory layout. As Microsoft puts it, “information that facilitates predicting addressing of the memory.” That’s a key piece of data needed for facilitating other exploits.

Beyond the previously mentioned security feature bypass (SFB) in Secure Boot, there are also patches to correct SFBs in Outlook and the Surface Hub. The Outlook URI parsing bug would need to be combined with another exploit to get code execution. An attacker would need to have physical access to a Surface Hub to exploit the bug receiving a patch. However, if they are in the same room as the device, they could access settings normally restricted to administrators.

Rounding out this month’s release, Office receives a few patches for code execution and spoofing bugs. There a pair of cross-site scripting (XSS) fixes for SharePoint. Finally, Hyper-V and the Remote Desktop Protocol receive patches to address Denial-of-Service bugs.

Although not released today, ADV200002 was re-released last week. This seems to be where Microsoft is documenting the patches for their new Chromium-based Edge browser. It will be interesting over time to see how much of a patch gap Microsoft will have for this browser. Google stated their own gap is down to 15 days, which may still be enough time for advanced threat actors.

In looking at other advisories released today, the first is Microsoft’s version of the aforementioned patch for Flash in Internet Explorer. The other is the update to the Windows Servicing Stack, which now seems to be a standard monthly update.

Looking Ahead

The next Patch Tuesday falls on March 10, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!