Microsoft Outputs Patches for 3 Bugs Exploited as Zero-Day in the Wild

This is Patch April 2020, Tuesday, and in these difficult times of the coronavirus pandemic, the patch management process this month will be difficult for many organizations with most of their resources far away.

Microsoft today released the latest batch of software security updates for all supported versions of Windows operating systems and other products, resolving a total of 113 new vulnerabilities, 17 of which are critical and 96 are classified as critical.

Stamp for 4 days zero in the wild

More importantly, two of these security weaknesses would have been publicly known at the time of release, while three of them were actively exploited by hackers in the wild.

One of the publicly revealed vulnerabilities, also known as Zero Day, is the Adobe Font Manager library used by Windows, which Microsoft revealed to its millions of users in an early security alert last month.

The vulnerability to remote code execution in Microsoft Windows, called CVE-2020-1020, exists when the library of Windows Adobe Type Manager incorrectly supports a specially designed multi-master font – the Adobe Type 1 PostScript format.

As explained in the previous article, the relevant font library not only scans the content when opened with third-party software, but is also used by Windows Explorer to display the content of the file in the preview or detail bar without the user having to open it.

The second remote code execution bug (CVE-2020-0938) is also found in the Adobe Type Manager library and is activated when a malicious OpenType font is scanned.

These two Microsoft zero-day failures were reported in the last week of March by researchers working with Google’s Project Zero, but with a very short period of full disclosure, which was then mutually expanded in light of current global conditions.

Day Three Zero is the increase in privilege escalation vulnerabilities (CVE-2020-1027) in the Windows kernel, discovered by Google Project Zero, affecting all supported versions of Windows, including Windows 10, 8.1 and Server 2008, 2012, 2016 and 2019, and Windows 7, for which Microsoft discontinued support in January 2020.

Other new bugs fixed by Microsoft this month

The second common problem that has not been exploited in the wild is the significant increase in privilege escalation vulnerabilities (CVE-2020-0935) found on the Windows desktop OneDrive.

The latest update also includes fixes for 5 critical defects affecting Microsoft Office SharePoint. Four of them exist because of the inability of the software to validate the markup of the original application package, allowing remote attackers to execute random code on the machines involved.

The fifth SharePoint error is a cross-site scripting (XSS) problem (CVE-2020-0927) that could be exploited by an authenticated attacker by sending a specially designed request to the appropriate SharePoint server.

There is another important bug, listed asCVE-2020-0910and classified as critical, that affects the Windows hypervisor by allowing the guest VM to compromise the hypervisor, switch from one guest VM to the host, or switch from one guest VM to another.

In addition, there are other critical defects that Microsoft fixed this month, such as the Chakra scripting engine, Microsoft Dynamics 365 Business Central, Media Foundation, graphics components, codec library and VBScript, all of which lead to remote code execution attacks.

Windows users and system administrators are strongly advised to apply the latest security updates as soon as possible to prevent cyber criminals and hackers from taking control of their computers.

To install the latest Windows security updates, go to Settings → Updates and Security → Windows Updates → Check your computer for updates or install the updates manually.