The first "update Tuesday" of 2020 brought corrections 49 vulnerabilities in Microsoft products, eight of which have received the status of "critical". The most notable error of this month was definitely the bug in Windows CryptoAPI (Crypt32.dll) discovered by NSA researchers, which we already wrote about separately.
But besides the aforementioned issue CVE-2020-0601, two other notable vulnerabilities that affect Windows Server 2016 and Windows Server 2012 have been fixed: CVE-2020-0609 and CVE-2020-0610. According to Microsoft, the Windows Remote Desktop Gateway (RD Gateway) component is vulnerable to remote code execution, which allows attackers to capture vulnerable Windows servers using RDP and specially crafted requests. Another similar vulnerability (CVE-2020-0611) is already on the client side, not the gateway. User interaction is not required to exploit these problems.
Office also fixed several remote code execution vulnerabilities that could be exploited when a user opens a specially crafted document. These include three problems in Excel (CVE-2020-0650, CVE-2020-0651 and CVE-2020-0653), as well as one bug in Office as a whole (CVE-2020-0652)
Finally, this “update Tuesday” was marked by the release of the latest official security patches for Windows 7 and Server 2008, whose support was discontinued on January 14, 20202.
Intel, Adobe and others
This week, not only Microsoft released the first patches in the new year.
So, this month Intel issued a number of security recommendations, including one that the company considers serious. Disadvantage CVE-2019-14613 Enables privilege escalation with VTune Amplifier for Windows.
Also Intel eliminated information leakage (CVE-2019-14615) in Processor Graphics, which posed a danger to Windows, Linux, and possibly other operating systems; denial of service error (CVE-2019-14596) as part of the Chipset Device Software INF Utility; and privilege escalation error (CVE-2019-14601) in RAID Web Console 3 for Windows.
Adobe began 2020 with a small portion of patches, fixing a total nine bugs in Illustrator and Experience Manager products. So, the update for Illustrator CC 2019 for Windows fixes five critical errors related to the violation of the integrity of information in memory, which can lead to the execution of arbitrary code in the context of the target user. In turn, four vulnerabilities in Adobe Experience Manager were rated as important and moderate. These bugs could lead to the disclosure of confidential information (through XSS attacks or expression language injections).
Important patch prepared and developers of VMware. The fix for VMware Tools fixes CVE-2020-3941: a race condition problem that could potentially allow an attacker to upgrade their privileges on a Windows virtual machine.
SAP released six fixes this month and one update to an earlier security bulletin. Of these seven newsletters the most serious ones concern bug CVE-2020-6305 – XSS vulnerabilities in Rest Adapter for SAP Process Integration. Other fixes include a patch for denial of service issues in NetWeaver Internet Communication Manager (CVE-2020-6304) and a lack of authorization checks in the Realtech RTCISM 100.