It’s April 2020 Patch Tuesday, and during these challenging times of a coronavirus pandemic, this month’s patch management process would not go easy for many organizations where most of the resources are working remotely.
Microsoft today released the latest batch of software security updates for all supported versions of its Windows operating systems and other products that patch a total of 113 new security vulnerabilities, 17 of which are critical and 96 rated important in severity.
Most importantly, two of the security flaws have been reported as being publicly known at the time of release, and the other two are being actively exploited in the wild by hackers.
One of the publicly disclosed flaws, which was also exploited as zero-day, resides in the Adobe Font Manager Library used by Windows, the existence of which Microsoft revealed last month within an early security warning for its millions of users.
Tracked as CVE-2020-1020, the remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format.
As explained in the previous post, the affected font library not only parses content when open with a 3rd-party software but used by Windows Explorer to display the content of a file in the ‘Preview Pane’ or ‘Details Pane’ without having users to open it.
The second in-the-wild exploited remote code execution flaw (CVE-2020-0938) also resides in the Adobe Type Manager Library that triggers when parsing a malicious OpenType font.
Both of these zero-day flaws were reported to Microsoft in the last week of Match by researchers working with Google Google Project but with a very short full disclosure deadline, which was then mutually extended considering the current global circumstances.
Besides this, the second publicly known issue, which was not exploited, is an important severity elevation of privilege vulnerability (CVE-2020-0935) that resides in the OneDrive for Windows desktop.
Other than these, 5 critical flaws affect Microsoft Office SharePoint, 4 of which exists due to the failure of the software to check the source markup of an application package, allowing remote attackers to execute arbitrary code on the affected machines.
Whereas the 5th flaw in Microsoft Office SharePoint is a cross-site-scripting (XSS) vulnerability (CVE-2020-0927) that can be exploited by an authenticated attacker by sending a specially crafted request to an affected SharePoint server.
Another notable critical flaw (CVE-2020-0910) affects Windows Hyper-V, enabling a guest virtual machine to compromise the hypervisor, escaping from a guest virtual machine to the host, or escaping from one guest virtual machine to another guest virtual machine.
Windows users and system administrators are highly advised to apply the latest security patches as soon as possible in an attempt to keep cybercriminals and hackers away from taking control of their computers.
For installing the latest Windows security updates, you can head on to Settings → Update & Security → Windows Update → Check for updates on your PC, or you can install the updates manually.