These are challenging times for everyone and we here at Softcat hope all our customers and their families are keeping safe and well. Unfortunately for the sysadmins of the world, Patch Tuesday rolls around with a familiar inevitability and April is no different. Adobe were light this month so we’ll focus a little more on the Microsoft releases.
113 vulnerabilities are fixed in April’s Patch Tuesday, with 19 being rated critical, several of which are being actively exploited in the wild.
The first two notable issues affect the Adobe Font Manager, and yes, that means that by simply accessing a malicious website, fonts can be used as a conduit for a remote code execution attack. CVE-2020-1020 and CVE-2020-0938 are very similar but distinct vulnerabilities and have been observed in use by attackers since late March. A third very similar font vulnerability, CVE-2020-0687, has a higher CVSS score than the previous two but hasn’t yet been seen in the wild, meaning Microsoft have been able to get it fixed before it was used. This last one can be delivered using a malicious document as well as the website method.
Also scoring highly this month are a pair of Hyper-V elevation of privilege bugs, CVE-2020-0917 and CVE-2020-0918 respectively. This type of bug is something of a holy grail for attackers, as they allow an attack on a virtual machine to give them access to the underlying server OS by manipulating shared memory space. This in turn can give control over other guest VMs and potentially access into the datacentre itself. A third such bug, CVE-2010-910, enables a remote code execution attack by failing to validate user input correctly, with the potential for the same end result.
On the plus side, it’s typically hard to gain enough access to a VM to use these attacks, as virtual machines are rarely presented in a way that would give direct access to the OS, particularly from the Internet. As a result, hypervisor escape bugs are often chained with several other exploits first, which are used to gain a foothold or shell on the target machine before attempting to move “up and out” into the hypervisor.
Aside from these headlines there’s a large number of Elevation of Privilege bugs rated as Important. These cover a range of apps and services, including the Microsoft Store Install service, User-Mode Power service, Windows Delivery Optimisation, graphics components, the Windows kernel itself and even the Windows Update Client. These all score fairly highly, with CVSS scores around 7.8, but primarily appear to be Microsoft tidying up code and fixing things in the background rather being reactive to a known threat. Still, the sheer number of bugs indicates that this set of updates could take a while to install, and patches cover all current operating systems, as well as Windows 7 and Server 2008/R2.