January 2020 Patch Tuesday has seen Microsoft issue patches for 49 vulnerabilities including 7 rated critical, along with a fix for the Crypt32.dll vulnerability discovered and publicly disclosed by the U.S. National Security Agency. Microsoft has also issued its last round of updates for Windows 7, which reached end of life on January 14.
None of the vulnerabilities in this month’s updates are being exploited in the wild and details of the vulnerabilities have not been publicly disclosed. That said, it is important to apply the patches as soon as possible to keep Windows devices secure.
While the NSA rated the Windows 10 and Windows Server 2016/2019 Crypt32.dll vulnerability as critical, Microsoft has only marked the flaw as important. This is the first time that the discovery of a vulnerability has been attributed to the NSA, and under a new NSA initiative of vulnerability disclosures, it is unlikely to be the last.
The flaw – CVE-2020-0601 – is due to how the Windows CryptAPI validates Elliptic Curve Cryptography (ECC) certificates, which could allow threat actors to spoof ECC certificates and make their malicious code appear to have been signed by legitimate companies and could be used in MiTM attacks. An attack could lead to the interception of sensitive information and remote code execution.
Three critical vulnerabilities have been patched that affect Windows Remote Desktop Gateway, two of which could lead to remote code execution if an unauthenticated remote user connects to a vulnerable system and sends a specially crafted packet. The third vulnerability could be exploited by connecting to a vulnerable system and sending a specially crafted packet, which could cause the gateway to stop responding. The flaws are CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611
Three critical flaws affecting the .Net Framework have been patched: CVE-2020-0605, CVE-2020-0606, and CVE-2020-0646. CVE-2020-0605 and CVE-2020-0606 are due to the software failing to check the source markup of a file, which could be exploited to allow remote code execution on a vulnerable system. CVE-2020-0646 is an input validation flaw which could allow an attacker to take full control of a vulnerable system. To exploit the vulnerability, an attacker would need to pass specific input to an application utilizing susceptible .Net methods.
The remaining critical flaw affects ASP.Net and is tracked as CVE-2020-0603. The flaw exists when ASP.NET Core software fails to handle objects in memory. The vulnerability could be exploited if a user is convinced to open a specially crafted file with an affected version of ASP.NET Core.
Adobe has also issued its first set of 2020 patches. There are no updates for Adobe Flash Player or Adobe Reader in the January 2020 round of updates. Four patches have been released for Adobe Experience Manager and five for Adobe Illustrator CC. Three of the Adobe Experience Manager flaws have been rated important and one has been rated moderate severity.
The five vulnerabilities in Adobe Illustrator CC are all memory corruption flaws that allow remote code execution and all 5 have been rated critical. They are CVE-2020-3710, CVE-2020-3711, CVE-2020-3712. CVE-2020-3713, and CVE-2020-3714. The vulnerabilities have been corrected in Adobe Illustrator CC 24.0.2.