Microsoft has 0n 14-04-2020 released the latest batch of software security updates for all supported versions of its Windows operating systems and other products that patch a total of 113 new security vulnerabilities, 17 of which are critical and 96 rated important in severity.

Patches for 4 Zero-Days Exploited In the Wild

Most importantly, two of the security flaws have been reported as being publicly known at the time of release, and the four are being actively exploited in the wild by hackers.

One of the publicly disclosed flaws, which was also exploited as zero-day, resides in the Adobe Font Manager Library used by Windows, the existence of which Microsoft revealed last month within an early security warning for its millions of users.

Tracked as CVE-2020-1020, the remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format.

As explained in the previous post, the affected font library not only parses content when open with a 3rd-party software but also is used by Windows Explorer to display the content of a file in the ‘Preview Pane’ or ‘Details Pane’ without having users to open it.

The second in-the-wild exploited remote code execution flaw (CVE-2020-0938) also resides in the Adobe Type Manager Library that triggers when parsing a malicious OpenType font.

Both of these zero-day flaws were reported to Microsoft in the last week of March by researchers working with Google Project Zero but with a very short full disclosure deadline, which was then mutually extended considering the current global circumstances.

The third zero-day is an elevation of privilege vulnerability (CVE-2020-1027) in Windows kernel and the last in the wild exploited issue impacts scripting engine of Internet Explorer versions 9 and 11, where a memory corruption bug (CVE-2020-0968) could let attackers remotely compromise a targeted computer just by convincing the victim into opening a specially crafted website through the vulnerable web browser. Source – Thehackersnews

Further reading:

krebsonsecurity.com

SANS Internet Storm Center on Patch Tuesday

Qualys breakdown on April 2020 Patch Tuesday