Microsoft Issues Patches for 4 Bugs Exploited as Zero-Day in the Wild

Microsoft released the batch of software security updates for all supported versions of its Windows OS and other products that patch a total of 113 new security vulnerabilities, 17 of which are critical and 96 rated important in severity.

Patches for 4 Zero-Days Exploited

Two of the security flaws have been reported as being publicly known at the time of release, and the four are being actively exploited in the wild by hackers.

Two zero-day flaws were reported to Microsoft in the last week of March by researchers but with a very short full disclosure deadline.

One of the publicly disclosed flaws (CVE-2020-1020), the remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. The affected font library not only parses content when open with 3rd-party software but also is used by Windows Explorer to display the content of a file in the 'Preview Pane' or 'Details Pane' without having users to open it.

The second in-the-wild exploited remote code execution flaw (CVE-2020-0938) also resides in the Adobe Type Manager Library that triggers when parsing a malicious OpenType font.

The third zero-day is an elevation of privilege vulnerability (CVE-2020-1027) in Windows kernel and the last exploited issue impacts scripting engine of IE versions 9 and 11, where a memory corruption bug (CVE-2020-0968) could let attackers remotely compromise a targeted computer just by convincing the victim to open website through the vulnerable web browser.

Other New Bugs Microsoft Patched

The second publicly known issue (CVE-2020-0935), not exploited in the wild resides in the OneDrive for Windows desktop.

The latest update also includes patches for 5 critical flaws, 4 of which exist due to the failure of the software to check the source markup of an application package, allowing remote attackers to execute arbitrary code.

Whereas, the 5th SharePoint flaw is a cross-site-scripting (XSS) issue (CVE-2020-0927) that can be exploited by an authenticated attacker by sending a specially crafted request to an affected SharePoint server.

Another notable flaw tracked as CVE-2020-0910 and rated critical, that affects Windows Hyper-V, allowing a guest virtual machine to compromise the hypervisor, escaping from a guest virtual machine to the host, or to another guest virtual machine.

Other flaws Microsoft patched this month affect Chakra scripting engine, Microsoft Dynamics 365 Business Central, media foundation, graphics components, codecs library and VBScript—all leading to remote code execution attacks.

Recommendations

  • It is recommended to apply the latest security patches as soon as possible in an attempt to keep cybercriminals and hackers away from taking control of their computers.
  • For installing the latest Windows security updates, by following these steps:

Settings → Update & Security → Windows Update → Check for updates on your PC, or install the updates manually.