Description:

Microsoft has released security updates to address multiple vulnerabilities in the following products:

• Microsoft Windows

Windows 10, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2008 R2, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server, version 1803, 1903, 1909

• Internet Explorer
• Microsoft Office and Microsoft Office Services and Web Apps

Microsoft Excel 2010, Microsoft Excel 2013, Microsoft Office 2016, Microsoft Office 2019, Office 365 ProPlus

• ASP.NET Core
• .NET Core
• .NET Framework
• OneDrive for Android
• Microsoft Dynamics

Threats:

Attacker could exploit these vulnerabilities by doing the following:

• Vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software
• Obtain information.
• Install programs; view, change, or delete data; or create new accounts with full user rights in Microsoft Office.
• Read content in Office Online Server the attacker is not authorized to read.
• Obtain users' credentials.
• Bypass the passcode or fingerprint requirements in One Drive for Android.
• Run arbitrary code remotely.

Best practice and Recommendations:

The CERT team encourages users to review Microsoft security advisory and apply the necessary updates:

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Jan