Security advisories | Mar 24, 2020

Windows RCE Zero-Days Announced

THE THREAT

Update 2020/04/16: On April 14, 2020, Microsoft released security patches for both of the vulnerabilities mentioned in this advisory (CVE-2020-0938, CVE-2020-1020). After performing a business impact review, organizations should apply the latest Microsoft security patches to avoid impact.

Microsoft has announced two un-patched vulnerabilities affecting all supported versions of Windows and Windows Servers [1]. Limited attacks exploiting the vulnerabilities have been identified in the wild. If exploited, a remote and unauthenticated attacker could execute code on vulnerable systems. Successful exploitation could lead to the full compromise of targeted devices. Microsoft is actively developing a security patch for these vulnerabilities; once released, applying the patches should be high priority for organizations.

What we’re doing about it

  • eSentire security teams are monitoring the situation for new information.

What you should do about it

  • Once available, apply the official Microsoft security patches.
  • Consider following the official workarounds recommended by Microsoft:
    • Disable the Preview Pane and Details Pane in Windows Explorer [1].
    • Be aware that depending on individual use cases the workaround may have unforeseen disruptions, such as being unable to view OTF fonts in Windows Explorer.
    • Microsoft cautions against following these migration steps for Windows 10 machines, due to the lower risk of exploitation on the Windows 10 platform.
  • Ensure best practices are being followed relating to email security, including: avoiding opening links and attachments from unknown sources, always checking the sender address for irregularities and hovering over links before opening [2].

Additional information

The vulnerabilities reside in the Windows Adobe Type Manager Library and affects all supported Windows versions including:

  • Windows 10
  • Windows 8.1
  • Windows 7
  • Windows Server 2008
  • Windows Server 2012
  • Windows Server 2016
  • Windows Server 2019

In order to exploit this vulnerability, threat actors would need to convince the victim to view a maliciously crafted document. Attacks employing this vulnerability are likely email based, increasing the importance of user awareness and email security.

Attacks exploiting this vulnerability in the wild have been limited and targeted in nature; at the time of writing, Windows 10 machines have not been a part of this activity [1].

Official CVE numbers for these vulnerabilities have not been made public at this time.

References:

[1] https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006

[2] https://digitalguardian.com/blog/what-email-security-data-protection-101