高危保安警報 (A20-04-03): Microsoft 產品多個漏洞 (2020年4月)

描述:

Microsoft 發布了安全性更新以應對多個影響 Microsoft 產品或元件的多個漏洞。有關安全性更新的列表，請參考以下網址：

https://support.microsoft.com/en-us/help/20200414/security-update-deployment-information-april-14-2020

Microsoft 發布的2020年4月安全更新應對了多個正在針對遠端執行程式碼漏洞的攻擊。這些漏洞存在於 Adobe Type Manager 程式庫 (CVE-2020-0938 和 CVE-2020-1020) 以及 Microsoft Internet Explorer 9 和 11 (CVE-2020-0968)。 Windows 和 Windows Server 均受影響。系統管理員及終端用戶應立即為受影響的系統安裝修補程式，以減低受到網絡攻擊的風險。

受影響的系統:

• Microsoft Internet Explorer 9, 11
• Microsoft Edge (EdgeHTML-based)
• Microsoft Windows 7, 8.1, RT 8.1, 10
• Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019
• Microsoft Windows Server, version 1803, version 1903, version 1909
• Microsoft Office 2010, 2013, 2013 RT, 2016, 2016 for Mac, 2019, 2019 for Mac
• Microsoft Office 365 ProPlus
• Microsoft Office Online Server
• Microsoft Office Web Apps 2010, 2013
• Microsoft Excel 2010, 2013, 2013 RT, 2016
• Microsoft PowerPoint 2010, 2013, 2013 RT, 2016
• Microsoft Word 2010, 2013, 2013 RT, 2016
• Microsoft Outlook 2010, 2013, 2013 RT, 2016
• Microsoft Access 2010, 2013, 2016
• Microsoft Project 2010, 2013, 2016
• Microsoft Project Server 2013
• Microsoft SharePoint Foundation 2010, 2013
• Microsoft SharePoint Enterprise Server 2013, 2016
• Microsoft SharePoint Server 2010, 2019
• Microsoft Business Productivity Servers 2010
• Microsoft Dynamics 365 Business Central 2019
• Microsoft Dynamics 365 Server, version 9.0
• Microsoft Dynamics 365 BC On Premise
• Microsoft Dynamics NAV 2013, 2015, 2016, 2017, 2018
• Microsoft Forefront Endpoint Protection 2010
• Microsoft Publisher 2010, 2013, 2016
• Microsoft Research JavaScript Cryptography Library V1.4
• Microsoft Security Essentials
• Microsoft System Center 2012, 2012 R2 Endpoint Protection
• Microsoft Visio 2010, 2013, 2016
• Microsoft Visual Studio 2015, 2017, 2019
• Microsoft OneDrive for Windows
• Microsoft Your Phone Companion App for Android
• Microsoft AutoUpdate for Mac
• Microsoft RMS Sharing for Mac
• Microsoft Remote Desktop for Mac
• Windows Defender
• ChakraCore

影響:

成功利用這些漏洞可以導致遠端執行程式碼、提高權限、服務受阻斷、泄漏資訊、仿冒詐騙及繞過保安功能，視乎攻擊者利用哪個漏洞而定。

建議:

受影響產品的修補程式可在 Windows Update 或 Microsoft Update Catalog 獲取。受影響系統的用戶應遵從產品供應商的建議，立即採取行動以降低風險。

進一步資訊:

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Apr
https://support.microsoft.com/en-us/help/20200414/security-update-deployment-information-april-14-2020
https://www.hkcert.org/my_url/zh/alert/20041501
https://www.us-cert.gov/ncas/current-activity/2020/04/14/microsoft-releases-april-2020-security-updates
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0687
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0699
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0760
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0784
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0794
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0821
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0888
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0889
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0895
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0899
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0900
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0906
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0907
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0910
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0913
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0917
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0918
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0919
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0920
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0923 (to CVE-2020-0927)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0929 (to CVE-2020-0940)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0942 (to CVE-2020-0950)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0952 (to CVE-2020-0962)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0964 (to CVE-2020-0985)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0987
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0988
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0991 (to CVE-2020-0996)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0999 (to CVE-2020-1009)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1011
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1014 (to CVE-2020-1020)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1022
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1026
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1027
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1029
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1049
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1050
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-109