Microsoft’s April Patches Fix Multiple 0-Day Vulnerabilities Exploited in the Wild Threat Alert

Microsoft’s April Patches Fix Multiple 0-Day Vulnerabilities Exploited in the Wild Threat Alert

April 25, 2020 | Adeline Zhang

Overview

On April 14, 2020, local time, Microsoft released its April patches that fix 113 security issues, including three 0-day vulnerabilities that have been exploited in the wild. The three vulnerabilities exist in Windows Adobe Type Manager Library and the Windows kernel.

According to ZDI’s report, at first, the scripting engine memory corruption vulnerability (CVE-2020-0968) was also listed as one having been exploited. However, the security advisory was later modified, removing this vulnerability from the list of actively exploited ones.

  • CVE-2020-1020 and CVE-2020-0938

The two are remote code execution vulnerabilities affecting Windows Adobe Type Manager Library. Microsoft provided mitigations against them in a security advisory released in late March and provides patches to fix them in April’s update.

These vulnerabilities exist in the way Windows Adobe Type Manager Library handles the multi-master font, Adobe Type 1 PostScript format.

For all systems except Windows 10, an attacker who successfully exploited these vulnerabilities could execute code remotely. For systems running Windows 10, an attacker who successfully exploited these vulnerabilities could execute code in an AppContainer sandbox context with limited privileges and capabilities.

For affected versions and more details, visit the following links:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938

  • CVE-2020-1027

This is a privilege escalation vulnerability in the Windows kernel.

The vulnerability exists in the way the Windows kernel handles objects in memory. An attacker who successfully exploited this vulnerability could execute code with elevated permissions.

For affected versions and more details, visit the following links:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1027

  • CVE-2020-0968

In Internet Explorer, a remote code execution vulnerability exists in the way that the scripting engine handles objects in memory.

The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user logged in with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system.

For affected versions and more details, visit the following links:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0968

Solution

The vendor has released security patches for the supported system versions to fix the preceding vulnerabilities. Affected users are strongly advised to install these patches as soon as possible.

Those who cannot install the update for the time being can take mitigation measures as suggested in the official security advisory.

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.