Microsoft security alert.
April 14, 2020
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 104 vulnerabilities that were fixed in 11 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 11 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft Internet Explorer Security Update for April 2020
- Severity
- Critical 4
- Qualys ID
- 100403
- Vendor Reference
- KB4549949, KB4549951, KB4550905, KB4550917, KB4550922, KB4550927, KB4550929, KB4550930, KB4550951, KB4550961, KB4550964
- CVE Reference
- CVE-2020-0895, CVE-2020-0966, CVE-2020-0967, CVE-2020-0968
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
Microsoft releases the security update for Internet Explorer April 2020
The KB Articles associated with the update:
KB4550961
KB4550905
KB4550951
KB4550930
KB4550964
KB4550927
KB4549949
KB4550917
KB4549951
KB4550929
KB4550922
QID Detection Logic:This QID checks for the file version of Mshtml.dll
The following versions of Mshtml.dll with their corresponding KBs are verified:
KB4550961 - 11.0.9600.19678
KB4550905 - 9.0.8112.21433 , 11.0.9600.19671
KB4550951 - 9.0.8112.21433
KB4550930 - 11.0.10240.18545
KB4550964 - 11.0.9600.19671
KB4550927 - 11.0.16299.1806
KB4549949 - 11.0.17763.1158
KB4550917 - 11.0.9600.19671
KB4549951 - 11.0.18362.778
KB4550922 - 11.0.17134.1425
Note : For KB4550929, "ntoskrnl.exe" is check because other IE related files are not updated.
- Consequence
- The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
- Solution
-
Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide Internet Explorer
-
Microsoft SharePoint Foundation and SharePoint Server Update April 2020
- Severity
- Critical 4
- Qualys ID
- 110347
- Vendor Reference
- KB2553306, KB4011581, KB4011584, KB4462153, KB4484291, KB4484292, KB4484293, KB4484297, KB4484298, KB4484299, KB4484301, KB4484307, KB4484308, KB4484321, KB4484322
- CVE Reference
- CVE-2020-0920, CVE-2020-0923, CVE-2020-0924, CVE-2020-0925, CVE-2020-0926, CVE-2020-0927, CVE-2020-0929, CVE-2020-0930, CVE-2020-0931, CVE-2020-0932, CVE-2020-0933, CVE-2020-0954, CVE-2020-0971, CVE-2020-0972, CVE-2020-0973, CVE-2020-0974, CVE-2020-0975, CVE-2020-0976, CVE-2020-0977, CVE-2020-0978, CVE-2020-0980
- CVSS Scores
- Base 9.3 / Temporal 7.3
- Description
-
Microsoft has released April 2020 security updates to fix multiple security vulnerabilities.
This security update contains the following KBs:
KB4484297
KB2553306
KB4484299
KB4484292
KB4484298
KB4484321
KB4462153
KB4484301
KB4484308
KB4484291
KB4484322
KB4011584
KB4011581
KB4484307
KB4484293
QID Detection Logic:
This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected office system. - Consequence
-
Successful exploitation allows an attacker to execute code remotely.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft SharePoint Foundation and SharePoint Server April 2020
-
Microsoft Office and Microsoft Office Services and Web Apps Security Update April 2020
- Severity
- Critical 4
- Qualys ID
- 110348
- Vendor Reference
- KB3128012, KB3162033, KB3203462, KB4011097, KB4011104, KB4032216, KB4462210, KB4462225, KB4464527, KB4464544, KB4475609, KB4484117, KB4484125, KB4484126, KB4484132, KB4484167, KB4484214, KB4484226, KB4484229, KB4484235, KB4484238, KB4484244, KB4484246, KB4484258, KB4484260, KB4484266, KB4484269, KB4484273, KB4484274, KB4484281, KB4484283, KB4484284, KB4484285, KB4484287, KB4484290, KB4484294, KB4484295, KB4484296, KB4484300, KB4484319
- CVE Reference
- CVE-2020-0760, CVE-2020-0906, CVE-2020-0954, CVE-2020-0961, CVE-2020-0979, CVE-2020-0980, CVE-2020-0991
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Microsoft has released April 2020 security updates to fix multiple security vulnerabilities.
This security update contains the following KBs:
KB3162033
KB4011097
KB4484125
KB4484273
KB3128012
KB4484214
KB4484246
KB4484244
KB4484300
KB4484167
KB4484269
KB4484274
KB4484285
KB4484283
KB3203462
KB4484126
KB4011104
KB4484117
KB4484235
KB4484132
KB4462225
KB4484295
KB4484319
KB4464544
KB4484287
KB4484238
KB4484229
KB4462210
KB4464527
KB4484226
KB4484281
KB4484284
KB4032216
KB4484258
KB4484266
KB4484260
KB4484290
KB4484294
KB4484296
KB4475609
QID Detection Logic:
This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected office system. - Consequence
-
Successful exploitation allows an attacker to execute code remotely.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Office and Microsoft Office Services and Web Apps Security Update April 2020
-
Microsoft Remote Desktop Mac App Update for April 2020
- Severity
- Serious 3
- Qualys ID
- 372505
- Vendor Reference
- CVE-2020-0919
- CVE Reference
- CVE-2020-0919
- CVSS Scores
- Base 4.6 / Temporal 3.4
- Description
-
An elevation of privilege vulnerability exists in Remote Desktop App for Mac in the way it allows an attacker to load unsigned binaries. To exploit this vulnerability, an attacker would have to first get access to the victim's system. The update addresses the vulnerability by correcting how Remote Desktop App for Mac validates signatures.
Affected Versions:
Microsoft Remote Desktop for Mac versions prior to 10.3.9QID Detection Logic:
This authenticated QID detects vulnerable versions of Microsoft Remote Desktop for Mac by comparing versions from CFBundleShortVersionString in /Applications/Microsoft\ Remote\ Desktop.app/Contents/Info.plist - Consequence
-
Successful exploitation will allow an attacker to install programs; view, change, or delete data with the logged in user's privileges.
- Solution
-
Customers are advised to refer to CVE-2020-0919 for updates pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2020-0919
-
Microsoft RMS Sharing Mac App Update for April 2020
- Severity
- Serious 3
- Qualys ID
- 372506
- Vendor Reference
- CVE-2020-1019
- CVE Reference
- CVE-2020-1019
- CVSS Scores
- Base 4.6 / Temporal 3.4
- Description
-
An elevation of privilege vulnerability exists in RMS Sharing App for Mac in the way it allows an attacker to load unsigned binaries. To exploit this vulnerability, an attacker would first have to get access to the victim's system. The update addresses the vulnerability by correcting how the app validates signatures.
Affected Versions:
Microsoft RMS Sharing for Mac versions prior to 1.3.3.
QID Detection Logic:
This authenticated QID detects vulnerable versions of RMS Sharing by comparing versions from CFBundleShortVersionString in /Applications/RMS_sharing.app/Contents/Info.plist - Consequence
-
Successful exploitation allows an attacker to install programs; view, change, or delete data with the logged in user's privileges.
- Solution
-
Customers are advised to refer to CVE-2020-1019 for information pertaining to patching this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2020-1019
-
Microsoft AutoUpdate (MAU) Office Elevation of Privilege Vulnerability April 2020
- Severity
- Serious 3
- Qualys ID
- 372507
- Vendor Reference
- CVE-2020-0984
- CVE Reference
- CVE-2020-0984
- CVSS Scores
- Base 4.6 / Temporal 3.4
- Description
-
An elevation of privilege vulnerability exists when the Microsoft AutoUpdate (MAU) application for Mac improperly validates updates before executing them.
Affected Software:
Microsoft AutoUpdate Version prior to 4.22QID Detection Logic (Authenticated):
The authenticated check looks for installed Mac packages. - Consequence
- An attacker who successfully exploited the vulnerability who already has the ability to execute code on a system could elevate privileges.
- Solution
-
Users are advised to check CVE-2020-0984 for more information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2020-0984
-
Microsoft Windows Servicing Stack Security Update April 2020
- Severity
- Medium 2
- Qualys ID
- 91618
- Vendor Reference
- ADV990001
- CVE Reference
- N/A
- CVSS Scores
- Base 6.8 / Temporal 5
- Description
-
Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
Microsoft has released Servicing Stack security updates for Windows 2008, Windows 7, Windows 2008 R2, Windows 10 1903, and Windows 10 1909.
QID Detection Logic (Authenticated):
This authenticated QID will check for file version of CbsCore.dll - Consequence
-
Successful exploitation may allow unauthorized disclosure of information, unauthorized modification or disruption of service.
- Solution
-
Customers are advised to refer to advisory ADV990001 for more information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
ADV990001
-
Microsoft Visual Studio Security Update for April 2020
- Severity
- Critical 4
- Qualys ID
- 91620
- Vendor Reference
- CVE-2020-0899, CVE-2020-0900
- CVE Reference
- CVE-2020-0899, CVE-2020-0900
- CVSS Scores
- Base 3.6 / Temporal 2.7
- Description
-
An elevation of privilege vulnerability exists when Microsoft Visual Studio updater service improperly handles file permissions. An attacker who successfully exploited this vulnerability could overwrite arbitrary file content in the security context of the local system.
An elevation of privilege vulnerability exists when the Visual Studio Extension Installer Service improperly handles file operations. An attacker who successfully exploited the vulnerability could delete files in arbitrary locations with elevated permissions.
Affected Software:
Microsoft Visual Studio 2015 Update 3
Microsoft Visual Studio 2017 Version 15.9 (includes 15.1 - 15.8)
Microsoft Visual Studio 2019 Version 16.0
Microsoft Visual Studio 2019 Version 16.4 (includes 16.0 - 16.3)BR> Microsoft Visual Studio 2019 version 16.5QID Detection Logic:Authenticated
This QID detects vulnerable versions of Microsoft Visual Studio by checking file version of devenv.exe. NOTE: Microsoft Visual Studio 2015 Update 3 is only prone to CVE-2020-0900. - Consequence
- Successful exploitation allows attacker to overwrite arbitrary and delete files in arbitrary locations with elevated permissions.
- Solution
-
Customers are advised to refer to CVE-2020-0899 CVE-2020-0900 for more information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2020-0899
CVE-2020-0900
-
Microsoft Windows Security Update for April 2020
- Severity
- Critical 4
- Qualys ID
- 91622
- Vendor Reference
- KB4549949, KB4549951, KB4550917, KB4550922, KB4550927, KB4550929, KB4550930, KB4550951, KB4550957, KB4550961, KB4550964, KB4550965, KB4550970, KB4550971
- CVE Reference
- CVE-2020-0687, CVE-2020-0699, CVE-2020-0784, CVE-2020-0794, CVE-2020-0821, CVE-2020-0888, CVE-2020-0889, CVE-2020-0907, CVE-2020-0910, CVE-2020-0913, CVE-2020-0917, CVE-2020-0918, CVE-2020-0934, CVE-2020-0936, CVE-2020-0937, CVE-2020-0938, CVE-2020-0939, CVE-2020-0940, CVE-2020-0942, CVE-2020-0944, CVE-2020-0945, CVE-2020-0946, CVE-2020-0947, CVE-2020-0948, CVE-2020-0949, CVE-2020-0950, CVE-2020-0952, CVE-2020-0953, CVE-2020-0955, CVE-2020-0956, CVE-2020-0957, CVE-2020-0958, CVE-2020-0959, CVE-2020-0960, CVE-2020-0962, CVE-2020-0964, CVE-2020-0965, CVE-2020-0981, CVE-2020-0982, CVE-2020-0983, CVE-2020-0985, CVE-2020-0987, CVE-2020-0988, CVE-2020-0992, CVE-2020-0993, CVE-2020-0994, CVE-2020-0995, CVE-2020-0996, CVE-2020-0999, CVE-2020-1000, CVE-2020-1001, CVE-2020-1003, CVE-2020-1004, CVE-2020-1005, CVE-2020-1006, CVE-2020-1007, CVE-2020-1008, CVE-2020-1009, CVE-2020-1011, CVE-2020-1014, CVE-2020-1015, CVE-2020-1016, CVE-2020-1017, CVE-2020-1027, CVE-2020-1029, CVE-2020-1094
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
Microsoft releases the security update for Windows April 2020
The KB Articles associated with the update:
KB4550964
KB4550965
KB4550927
KB4549949
KB4550917
KB4550929
KB4550922
KB4550957
KB4550961
KB4550970
KB4549951
KB4550951
KB4550971
KB4550930
This QID checks for the file version of ntoskrnl.exe
The following versions of ntoskrnl.exe with their corresponding KBs are verified:
KB4550964 - 6.1.7601.24552
KB4550965 - 6.1.7601.24552
KB4550927 - 10.0.16299.1806
KB4549949 - 10.0.17763.1158
KB4550917 - 6.2.9200.23022
KB4550929 - 10.0.14393.3620
KB4550922 - 10.0.17134.1425
KB4550957 - 6.0.6003.20812
KB4550961 - 6.3.9600.19678
KB4550970 - 6.3.9600.19678
KB4549951 - 10.0.18362.778
KB4550951 - 6.0.6003.20812
KB4550971 - 6.2.9200.23022
KB4550930 - 10.0.10240.18545
Note: Detection for CVE-2020-1020 is in the original zero day QID: 91617
- Consequence
- An attacker who successfully exploited the vulnerability could take control of the affected system.
- Solution
-
Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide Windows
-
Microsoft OneDrive for Windows Elevation of Privilege Vulnerability April 2020
- Severity
- Serious 3
- Qualys ID
- 91624
- Vendor Reference
- CVE-2020-0935
- CVE Reference
- CVE-2020-0935
- CVSS Scores
- Base 2.1 / Temporal 1.6
- Description
-
An elevation of privilege vulnerability exists when the OneDrive for Windows Desktop application improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.
Affected Software:
OneDrive Production Ring Version prior to 19.232.1124.0012
OneDrive Deferred(Enterprise) Ring Version prior to 19.222.1110.0011
QID Detection Logic:Authenticated
This QID detects vulnerable versions of OneDrive by checking file version of OneDrive.exeNOTE: Only per machine installation (System wide installation) of OneDrive are affected.
- Consequence
- Successful exploitation of this vulnerability could allow an attacker to overwrite a targeted file leading to an elevated status.
- Solution
-
Customers are advised to refer to CVE-2020-0935for more information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2020-0935
-
Microsoft Edge Security Update for April 2020
- Severity
- Critical 4
- Qualys ID
- 91625
- Vendor Reference
- KB4549949, KB4549951, KB4550922, KB4550927, KB4550929, KB4550930
- CVE Reference
- CVE-2020-0969, CVE-2020-0970
- CVSS Scores
- Base 7.6 / Temporal 5.6
- Description
-
Microsoft releases the security update for Microsoft Edge April 2020
The KB Articles associated with the update:
KB4549949
KB4549951
KB4550922
KB4550927
KB4550929
KB4550930
QID Detection Logic:Authenticated
This QID checks for the file version of chakra.dll - Consequence
- On successfull exploitation,an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Solution
-
Please refer to the CVE-2020-0969 for more information pertaining to these vulnerabilities.
Please refer to the CVE-2020-0970 for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2020-0969
CVE-2020-0970
These new vulnerability checks are included in Qualys vulnerability signature 2.4.865-4. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 100403
- 110347
- 110348
- 372505
- 372506
- 372507
- 91618
- 91620
- 91622
- 91624
- 91625
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.