The third actively exploited zero-day is a Windows Kernel vulnerability that was identified by Google’s Project Zero team. The flaw, tracked as CVE-2020-1027, could permit remote code execution with elevated privileges. The flaw has been focused on in attacks on Windows 10 devices, but older operating systems are also at risk.
Another flaw was initially reported as having been exploited but is now labelled as “exploitation likely”. The flaw, tracked as CVE-2020-0968, impacts Internet Explorer and relates to how the scripting engine handles objects in the memory.
Another flaw, CVE-2020-0935, which impacts OneDrive for Windows, is rated important but it has been publicly shared. The flaw is due to improper handling of shortcut links. Exploitation of the flaw would permit a hacker to further compromise systems and execute additional payloads. Since OneDrive is downloaded on many devices and is used extensively by remote workers for sharing and storing files, it would be an attractive flaw for hackers to exploit. It should therefore be prioritized along with the critical flaws.
Many of the flaws that could be targeted by convincing an employee to visit a malicious website or open a specially crafted document sent via email could lead to the installation of malware, backdoors, and result in information disclosure and access being gained to devices with full user rights. With so many remote working employees during the COVID-19 pandemic, and with hackers targeting those individuals, it is more important than ever for patches to be applied promptly.
Microsoft has also said that it will be delaying end of support for a number of operating systems, software, and services in 2020, to ease the pressure on IT departments at this difficult period of time.
Many IT workers have also been put in a position where they have to work from home and the increased stress of managing IT and providing support to a largely at-home workforce has meant there has been little time to take the required steps to prepare for updates to software and operating systems.
Microsoft, in a recent support article, said “As a member of the global community, we want to contribute to reducing the stress our customers face right now. To that end, we have delayed the scheduled end of support and servicing dates for the following products to help people and organizations focus their attention on retaining business continuity.”
End of support dates have been delayed for the following operating systems, software, and services.
End of support dates for all other software and services scheduled for 2020 remain the same.