Security Warnings

Classification
These posts contain security warnings, including digital loopholes, electronic attacks, technical updates, and they are classified base on the level of severity.

Critical

High

Medium

Low

Microsoft Updates

2524

Warning Date: 15 January, 2020

Severity Level ● Critical

Warning Number: 2020-793

Target Sector: All

Description:

Microsoft has released security updates to address multiple vulnerabilities in the following products:

  • Microsoft Windows

Windows 10, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2008 R2, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server, version 1803, 1903, 1909

  • Internet Explorer
  • Microsoft Office and Microsoft Office Services and Web Apps

Microsoft Excel 2010, Microsoft Excel 2013, Microsoft Office 2016, Microsoft Office 2019, Office 365 ProPlus

  • ASP.NET Core
  • .NET Core
  • .NET Framework
  • OneDrive for Android
  • Microsoft Dynamics

Threats:

Attacker could exploit these vulnerabilities by doing the following:

  • Vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software
  • Obtain information.
  • Install programs; view, change, or delete data; or create new accounts with full user rights in Microsoft Office.
  • Read content in Office Online Server the attacker is not authorized to read.
  • Obtain users' credentials.
  • Bypass the passcode or fingerprint requirements in One Drive for Android.
  • Run arbitrary code remotely.

Best practice and Recommendations:

The CERT team encourages users to review Microsoft security advisory and apply the necessary updates:

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Jan

Last updated at 15 January, 2020