Microsoft’s April 2020 update Tuesday updates fix 113 vulnerabilities, including three Windows bugs exploited for arbitrary code execution and privilege escalation assaults.
Microsoft has patched two vulnerabilities related to the Adobe Type Manager Library, which are frequently exploited by remote code execution. The library is funded solely by Microsoft despite its name, and Adobe claims it will not risk its customers.
The vulnerabilities, as CVE-2020-1020 and CVE-2020-0938, were disclosed several weeks ago by Microsoft, but the company initially offered only a method to discourage use. The tech giant says the vulnerabilities in Windows 10 pcs are less likely to be abused thanks to the protection features of the new iteration of the operating system.
For both vulnerabilities, Microsoft has cited the Google Project Zero and Threat Analysis Community. CVE-2020-0938 was also attributed to the Chinese cybersecurity analysis company Qi An Xin.
There is currently no information about attacks that exploit such vulnerabilities available, and Google seldom discloses such types of information.
Microsoft also credited Google to note an actively exploited Windows kernel vulnerability monitored as CVE-2020-1027.
“An attacker who successfully exploited the vulnerability could execute code with elevated permissions,” Microsoft said in its advisory. “To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.”
The operation against Windows 10 was observed in this scenario, although older versions of the operating system are likely to be targeted.
CVE-2020-0968, a flaw in remote execution in Internet Explorer, can also be used, but maybe a mistake, because its index is “1-Exploitation more likely” rather than “0-Exploitation found.” This was not the first time such an error was found in a Microsoft advisory. For clarifications, SecurityWeek has reached Microsoft.
Microsoft’s remaining CVEs this month affect Windows, Edge, Internet Explorer, Outlook, Windows Defender, Dynamics, Android, and Mac apps, among other devices.
Only 17 vulnerabilities in this month are critical, and the remainder are listed as significant.
Microsoft has also fixed a privilege escalation bug that was previously revealed in the OneDrive Windows app.
Trend Micro’s Zero Day Initiative (ZDI), which offers a review of patches for this month, shows that the CVE solved by Microsoft between January and April 2020 is 44% higher than last year.
On Tuesday, Adobe just patched five ColdFusion, After Effects, and Digital Editions bugs.