Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Patch Tuesday, January 2020

Happy 2020! Microsoft is helping you celebrate the new decade with patches for 49 CVEs. Of those CVEs, eight are rated as "Critical," and 41 are rated as "Important." Among the "Critical" CVEs are four Remote Code Execution (RCE) vulnerabilities in the .NET Framework, and three RCE vulnerabilities in Remote Desktop (two for the client and one for the gateway). Ever since BlueKeep, RDP has been getting a monthly going through with a fine-toothed comb and a magnifying glass.

The list of vulnerabilities rated as "Important" are multiple RCE vulnerabilities for the Office Suite and several Privilege Escalation vulnerabilities in various Windows components. Notable in that list is a Spoofing vulnerability in the Windows CryptoAPI (CVE-2020-0601). This could allow an attacker to spoof a valid encryption key and potentially hijack encrypted connections via a practically undetectable man-in-the-middle attack or pretend to be a website that uses encryption like a banking or e-commerce website. An attacker could use a spoofed certificate to sign software as “official and trusted” which could grease the rails for attackers to place malware on systems with more ease.

Specifically, the vulnerability is in how Windows handles and validates Public encryption keys using specific ECC (Elliptic Curve Cryptography) algorithms. An ECC key has two parts to it; the actual bytes that define the encryption key itself and then metadata in the form of ECC parameters. When Windows validates these keys, it only does so by checking the key bytes and not the parameters. This would allow an attacker to generate a false key that would be validated as long as the key bytes match (even if the parameters do not). This vulnerability was introduced in Windows 10 since, prior to that, Windows didn't support ECC parameters.

Finally, today also marks the official "End of Life" for Windows 7 and Windows Server 2008. These Operating Systems have been around for a decade, and end of mainstream support occurred back in 2015. Given that much notice, we hope that organizations still using these operating systems have a plan in place to upgrade those systems if they haven't gotten rid of them already.

The End of Life means that Microsoft will no longer provide security updates like the ones listed below. This will increase the risk assumed by those organizations that continue to run Windows 7 or 2008 and we expect attackers will begin actively looking for those operating systems as a "soft spot" for a compromise. For instance, shortly after Windows XP went into End of Life, we saw widespread exploitation with the WannaCry campaign. While Microsoft did eventually release security fixes for XP, there's no assurance that the same would occur with Windows 7 if there were a similar campaign today. With the concerns around last year's potentially "wormable" BlueKeep (CVE-2019-0708) and new vulnerabilities discovered every month, this is not a time to let your systems go without security patches.

Users still running Windows 7 should upgrade to Windows 10, and servers still running Windows 2008 should be upgraded to at least Windows 2012, or you might want to consider replacing your local servers with cloud services.

Luckily none of the vulnerabilities patched today have any known exploit available (yet), so let's start the new decade off right and get to patching. Stay safe out there!

 

Critical

.NET Framework Remote Code Execution Vulnerability
CVE-2020-0646, CVE-2020-0605, CVE-2020-0606
Remote Code Execution

ASP.NET Core Remote Code Execution Vulnerability
CVE-2020-0603
Remote Code Execution

Internet Explorer Memory Corruption Vulnerability
CVE-2020-0640
Remote Code Execution

Remote Desktop Client Remote Code Execution Vulnerability
CVE-2020-0611
Remote Code Execution

Windows RDP Gateway Server Remote Code Execution Vulnerability
CVE-2020-0609, CVE-2020-0610
Remote Code Execution

 

Important

ASP.NET Core Denial of Service Vulnerability
CVE-2020-0602
Denial of Service

Hyper-V Denial of Service Vulnerability
CVE-2020-0617
Denial of Service

Microsoft Cryptographic Services Elevation of Privilege Vulnerability
CVE-2020-0620
Elevation of Privilege

Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
CVE-2020-0656
Spoofing

Microsoft Excel Remote Code Execution Vulnerability
CVE-2020-0650, CVE-2020-0651, CVE-2020-0653
Remote Code Execution

Microsoft Graphics Component Information Disclosure Vulnerability
CVE-2020-0622, CVE-2020-0607
Information Disclosure

Microsoft Office Memory Corruption Vulnerability
CVE-2020-0652
Remote Code Execution

Microsoft Office Online Spoofing Vulnerability
CVE-2020-0647
Spoofing

Microsoft OneDrive for Android Security Feature Bypass Vulnerability
CVE-2020-0654
Security Feature Bypass

Microsoft Windows Denial of Service Vulnerability
CVE-2020-0616
Denial of Service

Microsoft Windows Elevation of Privilege Vulnerability
CVE-2020-0641
Elevation of Privilege

Remote Desktop Web Access Information Disclosure Vulnerability
CVE-2020-0637
Information Disclosure

Update Notification Manager Elevation of Privilege Vulnerability
CVE-2020-0638
Elevation of Privilege

Win32k Elevation of Privilege Vulnerability
CVE-2020-0624, CVE-2020-0642
Elevation of Privilege

Win32k Information Disclosure Vulnerability
CVE-2020-0608
Information Disclosure

Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2020-0634
Elevation of Privilege

Windows Common Log File System Driver Information Disclosure Vulnerability
CVE-2020-0615, CVE-2020-0639
Information Disclosure

Windows CryptoAPI Spoofing Vulnerability
CVE-2020-0601
Spoofing

Windows Elevation of Privilege Vulnerability
CVE-2020-0635, CVE-2020-0644
Elevation of Privilege

Windows GDI+ Information Disclosure Vulnerability
CVE-2020-0643
Information Disclosure

Windows Remote Desktop Protocol (RDP) Gateway Server Denial of Service Vulnerability
CVE-2020-0612
Denial of Service

Windows Search Indexer Elevation of Privilege Vulnerability
CVE-2020-0613, CVE-2020-0614, CVE-2020-0623, CVE-2020-0625, CVE-2020-0626, CVE-2020-0627, CVE-2020-0628, CVE-2020-0629, CVE-2020-0630, CVE-2020-0631, CVE-2020-0632, CVE-2020-0633
Elevation of Privilege

Windows Security Feature Bypass Vulnerability
CVE-2020-0621
Security Feature Bypass

Windows Subsystem for Linux Elevation of Privilege Vulnerability
CVE-2020-0636
Elevation of Privilege

Latest SpiderLabs Blogs

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More