Microsoft addresses three Windows issues actively exploited

Microsoft Patch Tuesday security updates for April 2020 address 113 flaws, including three Windows issues that have been exploited in attacks in the wild.

Microsoft Patch Tuesday security updates for April 2020 address 113 flaws, including two remote code execution flaws in Windows that are actively exploited.

17 vulnerabilities are rated critical, the remaining ones are rated as important.

The flaws addressed by Microsoft this month impact Windows, Edge, Internet Explorer, Office, Windows Defender, Dynamics, Apps for Android and Mac, and other products.

The two RCE flaws in Windows, tracked as CVE-2020-1020 and CVE-2020-0938, are related to the Adobe Type Manager Library.

Windows Laptop

In March, Microsoft warned of hackers exploiting the two zero-day remote code execution (RCE) vulnerabilities in the Windows Adobe Type Manager Library, both issues impact all supported versions of Windows.

The vulnerabilities affects the way Windows Adobe Type Manager Library handles a specially-crafted multi-master font – Adobe Type 1 PostScript format.

Microsoft describes multiple attack scenarios, the attackers could trick victims into opening a specially crafted document or viewing it in the Windows Preview pane.

The good news is that the number of targeted attacks in the wild exploiting the two RCE flaws is “limited”

Microsoft pointed out that a successful attack on systems running supported versions of Windows 10 could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.

Microsoft has credited researchers from Google’s Project Zero and Threat Analysis Group for reporting both vulnerabilities along with experts at Qi An Xin for reporting the CVE-2020-0938 flaw.

The third Windows flaw addressed by Microsoft, tracked as CVE-2020-1027. was also reported by Google. According to Microsoft, the vulnerability is a Windows kernel flaw actively exploited in the wild.

Google has also been credited by Microsoft for reporting an actively exploited Windows kernel vulnerability tracked as CVE-2020-1027.

“An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.” read the advisory published by Microsoft.

“To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.”

Another issue addressed by Microsoft that has been exploited in attacks in the wild is a remote code issue in Internet Explorer tracked as CVE-2020-0968.

“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.” reads the advisory published by Microsoft. “If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

As usual, let me suggest reading the analysis published by Trend Micro’s Zero Day Initiative (ZDI) of the Microsoft Patch Tuesday security updates, it includes interesting details about the flaws.

Pierluigi Paganini

April 16, 2020

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

11th Anniversary Exclusive Top Global CISO Conference & Innovators Showcase - October - 2023