微软于周二发布了4月安全更新补丁,修复了113个从简单的欺骗攻击到远程执行代码的安全问题。产品涉及Android App、Apps、Microsoft Dynamics、Microsoft Graphics Component、Microsoft JET Database Engine、Microsoft Office、Microsoft Office SharePoint、Microsoft Scripting Engine、Microsoft Windows、Microsoft Windows DNS、Open Source Software、Remote Desktop Client、Visual Studio、Windows Defender、Windows Hyper-V、Windows Kernel、Windows Media以及Windows Update Stack。
https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Apr
关键漏洞概述
本次更新微软共修复17个Critical级别漏洞,部分概述如下。
- CVE-2020-0687
Microsoft Graphics 远程代码执行漏洞
漏洞由Windows字体库对特制嵌入式字体处理不当造成,攻击者可能以多种方式利用此漏洞。
一种是在基于 web 的场景中,通过诱导用户访问特制的网站来利用漏洞。另一种是在文件共享场景下,会诱导用户打开特制文档。
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0687
- CVE-2020-0907
Microsoft 图形组件远程代码执行漏洞
在 Microsoft 图形组件处理内存中对象的过程中存在一个远程代码执行漏洞。仅当用户打开特制文件时,才会触发此漏洞,成功利用漏洞的攻击者可以在目标系统上执行任意代码。
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0907
- CVE-2020-0929,CVE-2020-0931,CVE-2020-0932
Microsoft SharePoint远程执行代码漏洞
若要利用这些漏洞,攻击者需要将特制的SharePoint程序包上传至受影响版本的SharePoint,以允许他们在SharePoint应用程序池和SharePoint服务器中执行任意代码。
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0929
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0931
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0932
- CVE-2020-0938和CVE-2020-1020
Windows Adobe Font Manager库远程执行代码漏洞
当Windows Adobe Type Manager库对multi-master字体(Adobe Type 1 PostScript格式)处理不当时出现的远程执行代码漏洞。
如果攻击者在Windows 10以外的任何操作系统上利用此bug,可实现远程执行任意代码。在Windows 10上,它们将仅限于以有限的特权在AppContainer沙箱中执行代码。
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020
- CVE-2020-0968
Internet Explorer 中,脚本引擎在处理内存中对象的过程中存在一个远程代码执行漏洞。
该漏洞可破坏内存,使攻击者在当前用户的上下文中执行任意代码。成功利用此漏洞的攻击者可获得与当前用户相同的权限。
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0968
- CVE-2020-0970、CVE-2020-0969
分别是ChakraCore脚本引擎和Chakra脚本引擎处理内存中对象时存在的远程代码执行漏洞。影响Microsoft Edge (EdgeHTML-based),该漏洞可破坏内存,使攻击者在当前用户的上下文中执行任意代码。成功利用此漏洞的攻击者可获得与当前用户相同的权限。
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0970
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0969
相关信息如下:
产品 | CVE 编号 | CVE 标题 | 严重程度 |
Microsoft Dynamics | CVE-2020-1022 | Dynamics Business Central 远程代码执行漏洞 | Critical |
Microsoft Graphics Component | CVE-2020-0907 | Microsoft Graphics Components 远程代码执行漏洞 | Critical |
Microsoft Graphics Component | CVE-2020-0687 | Microsoft Graphics 远程代码执行漏洞 | Critical |
Microsoft Graphics Component | CVE-2020-0938 | Adobe Font Manager Library 远程代码执行漏洞 | Critical |
Microsoft Graphics Component | CVE-2020-1020 | Adobe Font Manager Library 远程代码执行漏洞 | Critical |
Microsoft Office | CVE-2020-0931 | Microsoft SharePoint 远程代码执行漏洞 | Critical |
Microsoft Office SharePoint | CVE-2020-0929 | Microsoft SharePoint 远程代码执行漏洞 | Critical |
Microsoft Office SharePoint | CVE-2020-0932 | Microsoft SharePoint 远程代码执行漏洞 | Critical |
Microsoft Office SharePoint | CVE-2020-0974 | Microsoft SharePoint 远程代码执行漏洞 | Critical |
Microsoft Scripting Engine | CVE-2020-0968 | Scripting Engine 内存破坏漏洞 | Critical |
Microsoft Scripting Engine | CVE-2020-0969 | Chakra Scripting Engine 内存破坏漏洞 | Critical |
Microsoft Scripting Engine | CVE-2020-0970 | Scripting Engine 内存破坏漏洞 | Critical |
Microsoft Windows | CVE-2020-0965 | Microsoft Windows Codecs Library 远程代码执行漏洞 | Critical |
Windows Hyper-V | CVE-2020-0910 | Windows Hyper-V 远程代码执行漏洞 | Critical |
Windows Media | CVE-2020-0948 | Media Foundation 内存破坏漏洞 | Critical |
Windows Media | CVE-2020-0949 | Media Foundation 内存破坏漏洞 | Critical |
Windows Media | CVE-2020-0950 | Media Foundation 内存破坏漏洞 | Critical |
Android App | CVE-2020-0943 | Microsoft YourPhone Application for Android Authentication Bypass Vulnerability | Important |
Apps | CVE-2020-1019 | Microsoft RMS Sharing App for Mac 特权提升漏洞 | Important |
Microsoft Dynamics | CVE-2020-1018 | Microsoft Dynamics Business Central/NAV Information Disclosure | Important |
Microsoft Dynamics | CVE-2020-1049 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability | Important |
Microsoft Dynamics | CVE-2020-1050 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability | Important |
Microsoft Graphics Component | CVE-2020-0784 | DirectX 特权提升漏洞 | Important |
Microsoft Graphics Component | CVE-2020-0987 | Microsoft Graphics Component 信息泄露漏洞 | Important |
Microsoft Graphics Component | CVE-2020-1004 | Windows Graphics Component 特权提升漏洞 | Important |
Microsoft Graphics Component | CVE-2020-1005 | Microsoft Graphics Component 信息泄露漏洞 | Important |
Microsoft Graphics Component | CVE-2020-0952 | Windows GDI 信息泄露漏洞 | Important |
Microsoft Graphics Component | CVE-2020-0958 | Win32k 特权提升漏洞 | Important |
Microsoft Graphics Component | CVE-2020-0964 | GDI+ 远程代码执行漏洞 | Important |
Microsoft Graphics Component | CVE-2020-0982 | Microsoft Graphics Component 信息泄露漏洞 | Important |
Microsoft JET Database Engine | CVE-2020-0988 | Jet Database Engine 远程代码执行漏洞 | Important |
Microsoft JET Database Engine | CVE-2020-0992 | Jet Database Engine 远程代码执行漏洞 | Important |
Microsoft JET Database Engine | CVE-2020-0994 | Jet Database Engine 远程代码执行漏洞 | Important |
Microsoft JET Database Engine | CVE-2020-0995 | Jet Database Engine 远程代码执行漏洞 | Important |
Microsoft JET Database Engine | CVE-2020-0999 | Jet Database Engine 远程代码执行漏洞 | Important |
Microsoft JET Database Engine | CVE-2020-1008 | Jet Database Engine 远程代码执行漏洞 | Important |
Microsoft JET Database Engine | CVE-2020-0889 | Jet Database Engine 远程代码执行漏洞 | Important |
Microsoft JET Database Engine | CVE-2020-0953 | Jet Database Engine 远程代码执行漏洞 | Important |
Microsoft JET Database Engine | CVE-2020-0959 | Jet Database Engine 远程代码执行漏洞 | Important |
Microsoft JET Database Engine | CVE-2020-0960 | Jet Database Engine 远程代码执行漏洞 | Important |
Microsoft Office | CVE-2020-0760 | Microsoft Office 远程代码执行漏洞 | Important |
Microsoft Office | CVE-2020-0906 | Microsoft Excel 远程代码执行漏洞 | Important |
Microsoft Office | CVE-2020-0935 | OneDrive for Windows 特权提升漏洞 | Important |
Microsoft Office | CVE-2020-0979 | Microsoft Excel 远程代码执行漏洞 | Important |
Microsoft Office | CVE-2020-0980 | Microsoft Word 远程代码执行漏洞 | Important |
Microsoft Office | CVE-2020-0991 | Microsoft Office 远程代码执行漏洞 | Important |
Microsoft Office | CVE-2020-0961 | Microsoft Office Access Connectivity Engine 远程代码执行漏洞 | Important |
Microsoft Office | CVE-2020-0984 | Microsoft (MAU) Office 特权提升漏洞 | Important |
Microsoft Office SharePoint | CVE-2020-0920 | Microsoft SharePoint 远程代码执行漏洞 | Important |
Microsoft Office SharePoint | CVE-2020-0923 | Microsoft Office SharePoint XSS Vulnerability | Important |
Microsoft Office SharePoint | CVE-2020-0924 | Microsoft Office SharePoint XSS Vulnerability | Important |
Microsoft Office SharePoint | CVE-2020-0925 | Microsoft Office SharePoint XSS Vulnerability | Important |
Microsoft Office SharePoint | CVE-2020-0926 | Microsoft Office SharePoint XSS Vulnerability | Important |
Microsoft Office SharePoint | CVE-2020-0927 | Microsoft Office SharePoint XSS Vulnerability | Important |
Microsoft Office SharePoint | CVE-2020-0930 | Microsoft Office SharePoint XSS Vulnerability | Important |
Microsoft Office SharePoint | CVE-2020-0933 | Microsoft Office SharePoint XSS Vulnerability | Important |
Microsoft Office SharePoint | CVE-2020-0954 | Microsoft Office SharePoint XSS Vulnerability | Important |
Microsoft Office SharePoint | CVE-2020-0971 | Microsoft SharePoint 远程代码执行漏洞 | Important |
Microsoft Office SharePoint | CVE-2020-0972 | Microsoft SharePoint 欺骗漏洞 | Important |
Microsoft Office SharePoint | CVE-2020-0973 | Microsoft Office SharePoint XSS Vulnerability | Important |
Microsoft Office SharePoint | CVE-2020-0975 | Microsoft SharePoint 欺骗漏洞 | Important |
Microsoft Office SharePoint | CVE-2020-0976 | Microsoft SharePoint 欺骗漏洞 | Important |
Microsoft Office SharePoint | CVE-2020-0977 | Microsoft SharePoint 欺骗漏洞 | Important |
Microsoft Office SharePoint | CVE-2020-0978 | Microsoft Office SharePoint XSS Vulnerability | Important |
Microsoft Windows | CVE-2020-0794 | Windows 拒绝服务漏洞 | Important |
Microsoft Windows | CVE-2020-0944 | Connected User Experiences and Telemetry Service 特权提升漏洞 | Important |
Microsoft Windows | CVE-2020-1001 | Windows Push Notification Service 特权提升漏洞 | Important |
Microsoft Windows | CVE-2020-1006 | Windows Push Notification Service 特权提升漏洞 | Important |
Microsoft Windows | CVE-2020-1029 | Connected User Experiences and Telemetry Service 特权提升漏洞 | Important |
Microsoft Windows | CVE-2020-0934 | Windows 特权提升漏洞 | Important |
Microsoft Windows | CVE-2020-0940 | Windows Push Notification Service 特权提升漏洞 | Important |
Microsoft Windows | CVE-2020-0942 | Connected User Experiences and Telemetry Service 特权提升漏洞 | Important |
Microsoft Windows | CVE-2020-0981 | Windows Token 安全功能绕过漏洞 | Important |
Microsoft Windows | CVE-2020-1009 | Windows 特权提升漏洞 | Important |
Microsoft Windows | CVE-2020-1011 | Windows 特权提升漏洞 | Important |
Microsoft Windows | CVE-2020-1016 | Windows Push Notification Service 信息泄露漏洞 | Important |
Microsoft Windows | CVE-2020-1017 | Windows Push Notification Service 特权提升漏洞 | Important |
Microsoft Windows | CVE-2020-1094 | Windows Work Folder Service 特权提升漏洞 | Important |
Microsoft Windows DNS | CVE-2020-0993 | Windows DNS 拒绝服务漏洞 | Important |
Open Source Software | CVE-2020-1026 | MSR JavaScript Cryptography Library 安全功能绕过漏洞 | Important |
Remote Desktop Client | CVE-2020-0919 | Microsoft Remote Desktop App for Mac 特权提升漏洞 | Important |
Visual Studio | CVE-2020-0899 | Microsoft Visual Studio 特权提升漏洞 | Important |
Visual Studio | CVE-2020-0900 | Visual Studio Extension Installer Service 特权提升漏洞 | Important |
Windows Defender | CVE-2020-0835 | Windows Defender Antimalware Platform Hard Link 特权提升漏洞 | Important |
Windows Defender | CVE-2020-1002 | Microsoft Defender 特权提升漏洞 | Important |
Windows Hyper-V | CVE-2020-0917 | Windows Hyper-V 特权提升漏洞 | Important |
Windows Hyper-V | CVE-2020-0918 | Windows Hyper-V 特权提升漏洞 | Important |
Windows Kernel | CVE-2020-0913 | Windows Kernel 特权提升漏洞 | Important |
Windows Kernel | CVE-2020-0955 | Windows Kernel Information Disclosure in CPU Memory Access | Important |
Windows Kernel | CVE-2020-1000 | Windows Kernel 特权提升漏洞 | Important |
Windows Kernel | CVE-2020-1003 | Windows Kernel 特权提升漏洞 | Important |
Windows Kernel | CVE-2020-1007 | Windows Kernel 信息泄露漏洞 | Important |
Windows Kernel | CVE-2020-1027 | Windows Kernel 特权提升漏洞 | Important |
Windows Kernel | CVE-2020-0699 | Win32k 信息泄露漏洞 | Important |
Windows Kernel | CVE-2020-0821 | Windows Kernel 信息泄露漏洞 | Important |
Windows Kernel | CVE-2020-0888 | DirectX 特权提升漏洞 | Important |
Windows Kernel | CVE-2020-0936 | Windows Scheduled Task 特权提升漏洞 | Important |
Windows Kernel | CVE-2020-0956 | Win32k 特权提升漏洞 | Important |
Windows Kernel | CVE-2020-0957 | Win32k 特权提升漏洞 | Important |
Windows Kernel | CVE-2020-0962 | Win32k 信息泄露漏洞 | Important |
Windows Kernel | CVE-2020-1015 | Windows 特权提升漏洞 | Important |
Windows Media | CVE-2020-0945 | Media Foundation 信息泄露漏洞 | Important |
Windows Media | CVE-2020-0946 | Media Foundation 信息泄露漏洞 | Important |
Windows Media | CVE-2020-0947 | Media Foundation 信息泄露漏洞 | Important |
Windows Media | CVE-2020-0937 | Media Foundation 信息泄露漏洞 | Important |
Windows Media | CVE-2020-0939 | Media Foundation 信息泄露漏洞 | Important |
Windows Update Stack | CVE-2020-0985 | Windows Update Stack 特权提升漏洞 | Important |
Windows Update Stack | CVE-2020-0996 | Windows Update Stack 特权提升漏洞 | Important |
Windows Update Stack | CVE-2020-0983 | Windows 特权提升漏洞 | Important |
Windows Update Stack | CVE-2020-1014 | Microsoft Windows Update Client 特权提升漏洞 | Important |
Microsoft Scripting Engine | CVE-2020-0895 | Windows VBScript Engine 远程代码执行漏洞 | Low |
Microsoft Scripting Engine | CVE-2020-0966 | VBScript 远程代码执行漏洞 | Low |
Microsoft Scripting Engine | CVE-2020-0967 | VBScript 远程代码执行漏洞 | Moderate |
修复建议
微软官方已经发布更新补丁,请及时进行补丁更新。