Microsoft January 2020 Patch Tuesday fixes 49 security bugs
Microsoft has released today the January 2020 Patch Tuesday security updates. This month’s updates include fixes for 49 vulnerabilities, of which eight are rated with a severity rating of “critical.”
By far, today’s most notable patched bug is a vulnerability in CryptoAPI (Crypt32.dll), the default Windows cryptographic library, a bug that was discovered and reported to Microsoft by the NSA.
The bug (CVE-2020-0601) is considered as bad as it gets. It can allow a threat actor to fake file signatures and launch man-in-the-middle attacks on encrypted HTTPS communications. See our previous coverage on this bug for additional details here.
But besides this bug, there are also two other important issues that will need patching. These two bugs both impact Windows Server 2016 and Windows Server 2012.
According to Microsoft, the Windows Remote Desktop Gateway (RD Gateway) component running on these systems is vulnerable to a remote code execution flaw that allows attackers to take over vulnerable Windows servers by initiating an RDP connection and sending specially crafted requests.
These two vulnerabilities — tracked as CVE-2020-0609 and CVE-2020-0610 — occur before the RDP authention process and require no user interaction from the server owner.
There’s two new pre-auth RCE with CVSS score 9.8 in RD Gateway, commonly used to protect RDP servers (adds MFA etc).
RD Gateway is a (great, btw) Enterprise solution for protecting those RDP boxes. You probably want to patch these. https://t.co/V13hp2tiYQ https://t.co/SSfF1l6nBu
— Kevin Beaumont (@GossiTheDog) January 14, 2020
All in all, the Microsoft January 2020 Patch Tuesday is smaller than many of Microsoft’s 2019 Patch Tuesdays, but it’s surely no less important, as the three bugs presented above stand testament.
Users are advised to make time to download and install these security fixes at their earliest convenience.
Besides Windows, other products that received fixes this month include Internet Explorer, ASP.NET, the .NET Framework, Microsoft Dynamics, OneDrive forAndroid, Microsoft Office, and Microsoft Office Services and Web Apps.
Additional useful Patch Tuesday information is below:
- Microsoft’s official Security Update Guide portal lists all security updates in a filterable table.
- ZDNet also put together this page listing all security updates on one single page, in one place.
- Additional analysis of today’s Patch Tuesday is also available from SANS ISC and Trend Micro.
- This month’s Adobe security updates are detailed here.
- SAP security updates are detailed here.
- VMWare security fixes are here and here.
- Intel security updates are available here.
- Oracle’s Q1 critical patch updates have also been released today, and are detailed here.
- The Android Security Bulletin for January 2020 is detailed here. Patches started rolling out to users’ phones last week.
| Tag | CVE ID | CVE Title |
|---|---|---|
| .NET Framework | CVE-2020-0606 | .NET Framework Remote Code Execution Vulnerability |
| .NET Framework | CVE-2020-0605 | .NET Framework Remote Code Execution Vulnerability |
| .NET Framework | CVE-2020-0646 | .NET Framework Remote Code Execution Injection Vulnerability |
| Apps | CVE-2020-0654 | Microsoft OneDrive for Android Security Feature Bypass Vulnerability |
| ASP.NET | CVE-2020-0603 | ASP.NET Core Remote Code Execution Vulnerability |
| ASP.NET | CVE-2020-0602 | ASP.NET Core Denial of Service Vulnerability |
| Common Log File System Driver | CVE-2020-0615 | Windows Common Log File System Driver Information Disclosure Vulnerability |
| Common Log File System Driver | CVE-2020-0634 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
| Common Log File System Driver | CVE-2020-0639 | Windows Common Log File System Driver Information Disclosure Vulnerability |
| Microsoft Dynamics | CVE-2020-0656 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability |
| Microsoft Graphics Component | CVE-2020-0622 | Microsoft Graphics Component Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2020-0607 | Microsoft Graphics Components Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2020-0642 | Win32k Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2020-0643 | Windows GDI+ Information Disclosure Vulnerability |
| Microsoft Office | CVE-2020-0650 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-0652 | Microsoft Office Memory Corruption Vulnerability |
| Microsoft Office | CVE-2020-0653 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-0651 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-0647 | Microsoft Office Online Spoofing Vulnerability |
| Microsoft Scripting Engine | CVE-2020-0640 | Internet Explorer Memory Corruption Vulnerability |
| Microsoft Windows | CVE-2020-0644 | Windows Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-0624 | Win32k Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-0635 | Windows Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-0620 | Microsoft Cryptographic Services Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-0616 | Microsoft Windows Denial of Service Vulnerability |
| Microsoft Windows | CVE-2020-0608 | Win32k Information Disclosure Vulnerability |
| Microsoft Windows | CVE-2020-0601 | Windows CryptoAPI Spoofing Vulnerability |
| Microsoft Windows | CVE-2020-0621 | Windows Security Feature Bypass Vulnerability |
| Microsoft Windows Search Component | CVE-2020-0633 | Windows Search Indexer Elevation of Privilege Vulnerability |
| Microsoft Windows Search Component | CVE-2020-0623 | Windows Search Indexer Elevation of Privilege Vulnerability |
| Microsoft Windows Search Component | CVE-2020-0613 | Windows Search Indexer Elevation of Privilege Vulnerability |
| Microsoft Windows Search Component | CVE-2020-0614 | Windows Search Indexer Elevation of Privilege Vulnerability |
| Microsoft Windows Search Component | CVE-2020-0632 | Windows Search Indexer Elevation of Privilege Vulnerability |
| Microsoft Windows Search Component | CVE-2020-0627 | Windows Search Indexer Elevation of Privilege Vulnerability |
| Microsoft Windows Search Component | CVE-2020-0628 | Windows Search Indexer Elevation of Privilege Vulnerability |
| Microsoft Windows Search Component | CVE-2020-0625 | Windows Search Indexer Elevation of Privilege Vulnerability |
| Microsoft Windows Search Component | CVE-2020-0626 | Windows Search Indexer Elevation of Privilege Vulnerability |
| Microsoft Windows Search Component | CVE-2020-0629 | Windows Search Indexer Elevation of Privilege Vulnerability |
| Microsoft Windows Search Component | CVE-2020-0631 | Windows Search Indexer Elevation of Privilege Vulnerability |
| Microsoft Windows Search Component | CVE-2020-0630 | Windows Search Indexer Elevation of Privilege Vulnerability |
| Windows Hyper-V | CVE-2020-0617 | Hyper-V Denial of Service Vulnerability |
| Windows Media | CVE-2020-0641 | Microsoft Windows Elevation of Privilege Vulnerability |
| Windows RDP | CVE-2020-0610 | Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability |
| Windows RDP | CVE-2020-0609 | Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability |
| Windows RDP | CVE-2020-0637 | Remote Desktop Web Access Information Disclosure Vulnerability |
| Windows RDP | CVE-2020-0612 | Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability |
| Windows RDP | CVE-2020-0611 | Remote Desktop Client Remote Code Execution Vulnerability |
| Windows Subsystem for Linux | CVE-2020-0636 | Windows Subsystem for Linux Elevation of Privilege Vulnerability |
| Windows Update Stack | CVE-2020-0638 | Update Notification Manager Elevation of Privilege Vulnerability |
READ MORE HERE