Coverage Information for Microsoft April 2020 Security Update for (CVE-2020-0938, CVE-2020-1020)

Description

Microsoft Security Updates for April 2020 (commonly known as Patch Tuesday) have been released to the public today. There were 113 updates for this month's release. Out of the 113 vulnerabilities, three vulnerabilities were zero days that were disclosed today. Two of the three vulnerabilities were discovered to be used in active, in the wild (ITW) exploits.


They are:

CVE-2020-0938 (Adobe Font Manager Library Remote Code Execution Vulnerability)

CVE-2020-1020 (Adobe Font Manager Library Remote Code Execution Vulnerability)


According to Microsoft - a remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.

It is safe to surmise that additional in the wild exploits will appear after Patch Tuesday, which is commonly known as "Exploit Wednesday" which is a term used within the InfoSec community where attackers try to reverse available patches. Sophisticated threat actors will likely try and leverage these disclosures and add ithem into their arsenal within the upcoming weeks. We will continue to update this post with any further relevant updates once available. For further information and guidance please visit the APPENDIX section at the end of this document.


What versions of software are affected?

This vulnerability affects Windows 10, Windows 8/7, and Windows Server 2019/2016/2012/2008 platforms. Regarding available mitigation, if automatic updates are turned off, it is highly recommended to apply this month's update as soon as possible, if feasible.


Are there any suggested mitigations or workarounds?

Yes. For those unable to apply this month's updates - Microsoft has provided detailed in depth workarounds for CVE-2020-0938 and CVE-2020-1020 respectively. Please refer to the APPENDIX section for a link to the write-ups from Microsoft.


Have there been reports of in the wild exploitation?

Yes. According to Microsoft, CVE-2020-0938 and CVE-2020-1020 were observed used in the wild attacks.


What is the status of AV and IPS coverage?

Fortinet customers running the latest definitions set (15.816) are currently protected against CVE-2020-0938 and CVE-2020-1020, respectively by our IPS signatures:

MS.Win32k.Windows.GDI.Type.1.Font.Privilege.Escalation

MS.Adobe.Font.Driver.VToHOrigin.Remote.Code.Execution

AV coverage is not feasible for this event.