مایکروسافت وصله های امنیتی روز سه شنبه این ماه خود را منتشر کرد. در این به روزسانی ها 3 آسیب پذیری Zero-day و 15 آسیب پذیری با درجه اهمیت “حیاتی” و 93 آسیب پذیری “مهم” رفع گردیده است.
بهتر است کاربران هر چه سریعتر جهت مقابله با ریسک های شناخته شده این وصله های امنیتی را دریافت و نصب نمایند.
آسیب پذیری های Zero-day رفع شده در این به روز رسانی :
به گزارش مایکروسافت دو آسیب پذیری زیر به صورت عمومی افشا شده است :
CVE-2020-1020 – Adobe Font Manager Library Remote Code
CVE-2020-0935 – OneDrive for Windows Elevation of Privilege
و دو آسیب پذیری زیر مورد سوءاستفاده قرار گرفته اند :
CVE-2020-0938 – Adobe Font Manager Library Remote Code Execution
CVE-2020-1020 – Adobe Font Manager Library Remote Code Execution
وصله امنیتی منتشر شده برای برای آسیب پذیری روز صفر Adobe Font Manager
آسیبپذیریهای مذکور از مدیریت نادرست فونتهای دستکاری شده از نوع Multi-master با قالب Adobe Type ۱ PostScript در Adobe Font Manager Library ناشی میشوند.
مهاجم به بهره جویی موفق در تمامی سیستمها بجز Windows ۱۰ قادر به اجرای کد مورد نظر خود بهصورت از راه دور است. همچنین سوءاستفاده از این آسیبپذیریها در Windows ۱۰ به مهاجم این امکان را میدهد که در یک بستر موسوم به AppContainer Sandbox با سطح دسترسی و امکانات محدود اجرا کرده و در ادامه اقدام به نصب برنامه، مشاهده کردن، تغییر دادن و حذف نمودن دادهها و حتی ایجاد کردن حسابهای کاربری با سطح دسترسی کامل کند.
قبلا برای این آسیب پذیری ها از راهکارهای مختلفی مثل غیرفعال کردن preview panes و سرویس های مختلف و اصلاح رجیستری برای کاهش خطرات امنیتی و مسدود سازی حملات استفاده می شد که با وجود به روزرسانی منتشر شده اخیر دیگر نیازی به این اقدامات نخواهد بود و کاربرانی که قبلا این راهکارها را مورد استفاده قرار داده اند لازم است آنها را به تنظیمات قبل بازگردانند.
در جدول زیر لیست کامل وصله های امنیتی منتشر شده را مشاهده می نمایید :
| Tag | CVE ID | CVE Title | Severity |
|---|---|---|---|
| Android App | CVE-2020-0943 | Microsoft YourPhone Application for Android Authentication Bypass Vulnerability | Important |
| Apps | CVE-2020-1019 | Microsoft RMS Sharing App for Mac Elevation of Privilege Vulnerability | Important |
| Microsoft Dynamics | CVE-2020-1050 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability | Important |
| Microsoft Dynamics | CVE-2020-1018 | Microsoft Dynamics Business Central/NAV Information Disclosure | Important |
| Microsoft Dynamics | CVE-2020-1049 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability | Important |
| Microsoft Dynamics | CVE-2020-1022 | Dynamics Business Central Remote Code Execution Vulnerability | Critical |
| Microsoft Graphics Component | CVE-2020-0952 | Windows GDI Information Disclosure Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-0938 | Adobe Font Manager Library Remote Code Execution Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-0687 | Microsoft Graphics Remote Code Execution Vulnerability | Critical |
| Microsoft Graphics Component | CVE-2020-0987 | Microsoft Graphics Component Information Disclosure Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-1004 | Windows Graphics Component Elevation of Privilege Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-1005 | Microsoft Graphics Component Information Disclosure Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-0958 | Win32k Elevation of Privilege Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-0907 | Microsoft Graphics Components Remote Code Execution Vulnerability | Critical |
| Microsoft Graphics Component | CVE-2020-0982 | Microsoft Graphics Component Information Disclosure Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-0964 | GDI+ Remote Code Execution Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-1020 | Adobe Font Manager Library Remote Code Execution Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-0784 | DirectX Elevation of Privilege Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2020-0995 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2020-0999 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2020-0988 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2020-0992 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2020-0994 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2020-0953 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2020-0889 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2020-0959 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2020-0960 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2020-1008 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-0979 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-0980 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-0984 | Microsoft (MAU) Office Elevation of Privilege Vulnerability | Important |
| Microsoft Office | CVE-2020-0760 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-0991 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-0961 | Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-0931 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical |
| Microsoft Office | CVE-2020-0906 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-0935 | OneDrive for Windows Elevation of Privilege Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-0927 | Microsoft Office SharePoint XSS Vulnerability | Critical |
| Microsoft Office SharePoint | CVE-2020-0923 | Microsoft Office SharePoint XSS Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-0925 | Microsoft Office SharePoint XSS Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-0924 | Microsoft Office SharePoint XSS Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-0932 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical |
| Microsoft Office SharePoint | CVE-2020-0930 | Microsoft Office SharePoint XSS Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-0933 | Microsoft Office SharePoint XSS Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-0920 | Microsoft SharePoint Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-0929 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical |
| Microsoft Office SharePoint | CVE-2020-0971 | Microsoft SharePoint Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-0975 | Microsoft SharePoint Spoofing Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-0978 | Microsoft Office SharePoint XSS Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-0977 | Microsoft SharePoint Spoofing Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-0976 | Microsoft SharePoint Spoofing Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-0974 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical |
| Microsoft Office SharePoint | CVE-2020-0973 | Microsoft Office SharePoint XSS Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-0972 | Microsoft SharePoint Spoofing Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-0954 | Microsoft Office SharePoint XSS Vulnerability | Moderate |
| Microsoft Office SharePoint | CVE-2020-0926 | Microsoft Office SharePoint XSS Vulnerability | Important |
| Microsoft Scripting Engine | CVE-2020-0968 | Scripting Engine Memory Corruption Vulnerability | Moderate |
| Microsoft Scripting Engine | CVE-2020-0966 | VBScript Remote Code Execution Vulnerability | Low |
| Microsoft Scripting Engine | CVE-2020-0895 | Windows VBScript Engine Remote Code Execution Vulnerability | Low |
| Microsoft Scripting Engine | CVE-2020-0969 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical |
| Microsoft Scripting Engine | CVE-2020-0970 | Scripting Engine Memory Corruption Vulnerability | Critical |
| Microsoft Scripting Engine | CVE-2020-0967 | VBScript Remote Code Execution Vulnerability | Moderate |
| Microsoft Windows | CVE-2020-0942 | Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-0965 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability | Critical |
| Microsoft Windows | CVE-2020-0940 | Windows Push Notification Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-0934 | Windows Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1029 | Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1011 | Windows Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1094 | Windows Work Folder Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1016 | Windows Push Notification Service Information Disclosure Vulnerability | Important |
| Microsoft Windows | CVE-2020-0794 | Windows Denial of Service Vulnerability | Important |
| Microsoft Windows | CVE-2020-1017 | Windows Push Notification Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-0944 | Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1006 | Windows Push Notification Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1009 | Windows Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-0981 | Windows Token Security Feature Bypass Vulnerability | Important |
| Microsoft Windows | CVE-2020-1001 | Windows Push Notification Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows DNS | CVE-2020-0993 | Windows DNS Denial of Service Vulnerability | Important |
| Open Source Software | CVE-2020-1026 | MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability | Important |
| Remote Desktop Client | CVE-2020-0919 | Microsoft Remote Desktop App for Mac Elevation of Privilege Vulnerability | Important |
| Visual Studio | CVE-2020-0899 | Microsoft Visual Studio Elevation of Privilege Vulnerability | Important |
| Visual Studio | CVE-2020-0900 | Visual Studio Extension Installer Service Elevation of Privilege Vulnerability | Important |
| Windows Defender | CVE-2020-1002 | Microsoft Defender Elevation of Privilege Vulnerability | Important |
| Windows Defender | CVE-2020-0835 | Windows Defender Antimalware Platform Hard Link Elevation of Privilege Vulnerability | Important |
| Windows Hyper-V | CVE-2020-0918 | Windows Hyper-V Elevation of Privilege Vulnerability | Important |
| Windows Hyper-V | CVE-2020-0910 | Windows Hyper-V Remote Code Execution Vulnerability | Critical |
| Windows Hyper-V | CVE-2020-0917 | Windows Hyper-V Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2020-0699 | Win32k Information Disclosure Vulnerability | Important |
| Windows Kernel | CVE-2020-1027 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2020-1003 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2020-0955 | Windows Kernel Information Disclosure in CPU Memory Access | Important |
| Windows Kernel | CVE-2020-1015 | Windows Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2020-1000 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2020-1007 | Windows Kernel Information Disclosure Vulnerability | Important |
| Windows Kernel | CVE-2020-0957 | Win32k Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2020-0936 | Windows Scheduled Task Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2020-0956 | Win32k Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2020-0962 | Win32k Information Disclosure Vulnerability | Important |
| Windows Kernel | CVE-2020-0821 | Windows Kernel Information Disclosure Vulnerability | Important |
| Windows Kernel | CVE-2020-0913 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2020-0888 | DirectX Elevation of Privilege Vulnerability | Important |
| Windows Media | CVE-2020-0948 | Media Foundation Memory Corruption Vulnerability | Critical |
| Windows Media | CVE-2020-0937 | Media Foundation Information Disclosure Vulnerability | Important |
| Windows Media | CVE-2020-0949 | Media Foundation Memory Corruption Vulnerability | Critical |
| Windows Media | CVE-2020-0939 | Media Foundation Information Disclosure Vulnerability | Important |
| Windows Media | CVE-2020-0950 | Media Foundation Memory Corruption Vulnerability | Critical |
| Windows Media | CVE-2020-0946 | Media Foundation Information Disclosure Vulnerability | Important |
| Windows Media | CVE-2020-0947 | Media Foundation Information Disclosure Vulnerability | Important |
| Windows Media | CVE-2020-0945 | Media Foundation Information Disclosure Vulnerability | Important |
| Windows Update Stack | CVE-2020-0996 | Windows Update Stack Elevation of Privilege Vulnerability | Important |
| Windows Update Stack | CVE-2020-1014 | Microsoft Windows Update Client Elevation of Privilege Vulnerability | Important |
| Windows Update Stack | CVE-2020-0983 | Windows Elevation of Privilege Vulnerability | Important |
| Windows Update Stack | CVE-2020-0985 | Windows Update Stack Elevation of Privilege Vulnerability | Important |
منبع :
