skout-blog

Cybersecurity Threat Advisory 0022-20: Windows GDI+ RCE Vulnerability (CVE-2020-0881)

Advisory Overview

Multiple versions of Windows are affected by a new RCE vulnerability. Supported operating systems like Widows 8, 10, Server 2012, and Server 2016 were issued a patch normally on March 10th, but Windows 7 and Server 2008 were only issued a patch if enrolled in the paid Microsoft ESU program. SKOUT recommends updating all end of life machines or enrolling them in the ESU program and issuing the patch. At a minimum, companies can minimize the risk of this vulnerability on end of life machines by auditing administrative user rights and granting permissions only where necessary.

Technical detail and additional information

What is the threat?

A remote code execution (RCE) vulnerability exists in the way that Windows Graphics Design Interface (GDI+) handles objects in multiple Windows products. This may be exploited through several vectors, such as convincing the target user to visit a specially crafted website where they may open or interact with content the attacker has created. Alternatively, an attacker may share with a target user with a specially crafted document and have the user open it, possibly by disguising it as an email attachment. A malicious actor who exploits this vulnerability could take full control of the affected system and would have access proportionate to the administrative rights of the compromised user account.

Why is this noteworthy?

This vulnerability exists for many Windows products, notably including both Windows 7 and Server 2008 which are end of life as of earlier this year. This means that users of these end of life products will not be eligible to download these security updates unless they are paying for the Windows 7 extended security updates (ESU). This poses a security risk to many organizations that do not currently pay for the Windows 7 ESU.

What is the exposure or risk?

The initial vector of the attack (web based vs. file sharing) is irrelevant, as the resulting compromise is identical either way. The malicious actor would have control over the compromised user account and could cause damage proportionate to the administrative privileges granted to that user. This includes but is not limited to creating or deleting user accounts, executing arbitrary code, adding or removing programs, modifying any data on the system, and more depending on the administrative level of the user.

What are the recommendations?

Microsoft has released a patch for the affected versions of Windows, found below:

However, users of the end of life products such as Windows 7 and server 2008 will be unable to download these security updates without the corresponding ESU package. This means that without the security update it is recommended that you minimize the risk to this vulnerability by auditing administrative user rights and granting permissions only where necessary.

References:

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.