Threat Signal Report

Coverage Information for Microsoft April 2020 Security Update for (CVE-2020-0938, CVE-2020-1020)

Description

Microsoft Security Updates for April 2020 (commonly known as Patch Tuesday) have been released to the public today. There were 113 updates for this month's release. Out of the 113 vulnerabilities, three vulnerabilities were zero days that were disclosed today. Two of the three vulnerabilities were discovered to be used in active, in the wild (ITW) exploits.


They are:

CVE-2020-0938 (Adobe Font Manager Library Remote Code Execution Vulnerability)

CVE-2020-1020 (Adobe Font Manager Library Remote Code Execution Vulnerability)


According to Microsoft - a remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.

It is safe to surmise that additional in the wild exploits will appear after Patch Tuesday, which is commonly known as "Exploit Wednesday" which is a term used within the InfoSec community where attackers try to reverse available patches. Sophisticated threat actors will likely try and leverage these disclosures and add ithem into their arsenal within the upcoming weeks. We will continue to update this post with any further relevant updates once available. For further information and guidance please visit the APPENDIX section at the end of this document.


What versions of software are affected?

This vulnerability affects Windows 10, Windows 8/7, and Windows Server 2019/2016/2012/2008 platforms. Regarding available mitigation, if automatic updates are turned off, it is highly recommended to apply this month's update as soon as possible, if feasible.


Are there any suggested mitigations or workarounds?

Yes. For those unable to apply this month's updates - Microsoft has provided detailed in depth workarounds for CVE-2020-0938 and CVE-2020-1020 respectively. Please refer to the APPENDIX section for a link to the write-ups from Microsoft.


Have there been reports of in the wild exploitation?

Yes. According to Microsoft, CVE-2020-0938 and CVE-2020-1020 were observed used in the wild attacks.


What is the status of AV and IPS coverage?

Fortinet customers running the latest definitions set (15.816) are currently protected against CVE-2020-0938 and CVE-2020-1020, respectively by our IPS signatures:

MS.Win32k.Windows.GDI.Type.1.Font.Privilege.Escalation

MS.Adobe.Font.Driver.VToHOrigin.Remote.Code.Execution

AV coverage is not feasible for this event.


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.