高危保安警报 (A20-04-03): Microsoft 产品多个漏洞 (2020年4月)

描述:

Microsoft 发布了安全性更新以应对多个影响 Microsoft 产品或元件的多个漏洞。有关安全性更新的列表，请参考以下网址：

https://support.microsoft.com/en-us/help/20200414/security-update-deployment-information-april-14-2020

Microsoft 发布的2020年4月安全更新应对了多个正在针对远端执行程式码漏洞的攻击。这些漏洞存在于 Adobe Type Manager 程式库 (CVE-2020-0938 和 CVE-2020-1020) 以及 Microsoft Internet Explorer 9 和 11 (CVE-2020-0968)。 Windows 和 Windows Server 均受影响。系统管理员及终端用户应立即为受影响的系统安装修补程式，以减低受到网络攻击的风险。

受影响的系统:

• Microsoft Internet Explorer 9, 11
• Microsoft Edge (EdgeHTML-based)
• Microsoft Windows 7, 8.1, RT 8.1, 10
• Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019
• Microsoft Windows Server, version 1803, version 1903, version 1909
• Microsoft Office 2010, 2013, 2013 RT, 2016, 2016 for Mac, 2019, 2019 for Mac
• Microsoft Office 365 ProPlus
• Microsoft Office Online Server
• Microsoft Office Web Apps 2010, 2013
• Microsoft Excel 2010, 2013, 2013 RT, 2016
• Microsoft PowerPoint 2010, 2013, 2013 RT, 2016
• Microsoft Word 2010, 2013, 2013 RT, 2016
• Microsoft Outlook 2010, 2013, 2013 RT, 2016
• Microsoft Access 2010, 2013, 2016
• Microsoft Project 2010, 2013, 2016
• Microsoft Project Server 2013
• Microsoft SharePoint Foundation 2010, 2013
• Microsoft SharePoint Enterprise Server 2013, 2016
• Microsoft SharePoint Server 2010, 2019
• Microsoft Business Productivity Servers 2010
• Microsoft Dynamics 365 Business Central 2019
• Microsoft Dynamics 365 Server, version 9.0
• Microsoft Dynamics 365 BC On Premise
• Microsoft Dynamics NAV 2013, 2015, 2016, 2017, 2018
• Microsoft Forefront Endpoint Protection 2010
• Microsoft Publisher 2010, 2013, 2016
• Microsoft Research JavaScript Cryptography Library V1.4
• Microsoft Security Essentials
• Microsoft System Center 2012, 2012 R2 Endpoint Protection
• Microsoft Visio 2010, 2013, 2016
• Microsoft Visual Studio 2015, 2017, 2019
• Microsoft OneDrive for Windows
• Microsoft Your Phone Companion App for Android
• Microsoft AutoUpdate for Mac
• Microsoft RMS Sharing for Mac
• Microsoft Remote Desktop for Mac
• Windows Defender
• ChakraCore

影响:

成功利用这些漏洞可以导致远端执行程式码、提高权限、服务受阻断、泄漏资讯、仿冒诈骗及绕过保安功能，视乎攻击者利用哪个漏洞而定。

建议:

受影响产品的修补程式可在 Windows Update 或 Microsoft Update Catalog 获取。受影响系统的用户应遵从产品供应商的建议，立即采取行动以降低风险。

进一步信息:

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Apr
https://support.microsoft.com/en-us/help/20200414/security-update-deployment-information-april-14-2020
https://www.hkcert.org/my_url/zh/alert/20041501
https://www.us-cert.gov/ncas/current-activity/2020/04/14/microsoft-releases-april-2020-security-updates
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0687
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0699
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0760
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0784
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0794
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0821
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0888
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0889
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0895
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0899
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0900
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0906
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0907
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0910
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0913
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0917
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0918
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0919
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0920
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0923 (to CVE-2020-0927)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0929 (to CVE-2020-0940)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0942 (to CVE-2020-0950)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0952 (to CVE-2020-0962)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0964 (to CVE-2020-0985)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0987
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0988
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0991 (to CVE-2020-0996)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0999 (to CVE-2020-1009)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1011
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1014 (to CVE-2020-1020)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1022
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1026
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1027
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1029
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1049
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1050
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-109