Microsoft Fixes Three Zero-Day Flaws in April

Microsoft has fixed 113 vulnerabilities this Patch Tuesday, 19 of which are rated critical, including three zero-day bugs being actively exploited in the wild.

The second month in a row that Redmond has issued fixes for over 100 flaws, April’s update round saw patches issued for two zero-days that Microsoft warned users about at the end of March.

CVE-2020-1020 and CVE-2020-0938 are two remote code execution bugs that exist in Microsoft Windows when “the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.”

Windows 7 and Server 2008 customers are particularly at risk given that the affected platforms are no longer supported by Microsoft.

The third zero-day is CVE-2020-1027, a Windows kernel elevation of privilege flaw which could enable a locally authenticated attacker to run a specially crafted application, allowing them to execute code with elevated permissions.

A fourth vulnerability originally pegged as a zero-day has not been exploited in the wild. CVE-2020-0968 is a memory corruption vulnerability in Internet Explorer due to the improper handling of objects in memory by the scripting engine.

Although not yet exploited, there are several possible scenarios that could put customers at risk, according to Tenable.

“An attacker could convince a victim to visit a website containing malicious code, whether or not that website is owned by the attacker, or a compromised website with malicious code injected into it,” the firm explained. “Another scenario would require the attacker to embed the malicious code into a Microsoft Office document and convince the victim to open it.”

Recorded Future intelligence analyst, Allan Liska, revealed that much of the research done by Microsoft this month was down to a surprising source.

“In 2019, a security researcher going by the handle SandboxEscaper released more than a half dozen zero-day vulnerabilities against Microsoft products,” he explained.

“In a surprising, but welcome, move for Microsoft, they have hired SandboxEscaper and the researcher has made several contributions to this month’s Patch Tuesday. This is great news for Microsoft and the security community at large.”

What’s Hot on Infosecurity Magazine?