Three Actively Exploited Flaws Patched by Microsoft

On April 2020 Patch Tuesday, Microsoft made available updates to fix 113 flaws in its operating systems and software solutions, 19 of which have been rated critical. This month’s group of updates includes fixes for 3 zero-day flaws that are being actively exploited in real world attacks.Two of the actively exploited flaws were revealed by Microsoft in March and Microsoft suggested workarounds to limit the chance of exploitation. The flaws – CVE-2020-0938 and CVE-2020-1020 – both impact the Adobe Font Manager Library and can result in remote code execution on all supported Windows versions. The flaws are partially addressed in Windows 10 and could only result in code execution in an AppContainer sandbox with restricted privileges and capabilities. The flaws could be targeted if a user is convinced to open a specially crafted document or if it is opened in the Windows Preview pane.

The third actively exploited zero-day is a Windows Kernel vulnerability that was identified by Google’s Project Zero team. The flaw, tracked as CVE-2020-1027, could permit remote code execution with elevated privileges. The flaw has been focused on in attacks on Windows 10 devices, but older operating systems are also at risk.

Another flaw was initially reported as having been exploited but is now labelled as “exploitation likely”. The flaw, tracked as CVE-2020-0968, impacts Internet Explorer and relates to how the scripting engine handles objects in the memory.

Another flaw, CVE-2020-0935, which impacts OneDrive for Windows, is rated important but it has been publicly shared. The flaw is due to improper handling of shortcut links. Exploitation of the flaw would permit a hacker to further compromise systems and execute additional payloads. Since OneDrive is downloaded on many devices and is used extensively by remote workers for sharing and storing files, it would be an attractive flaw for hackers to exploit. It should therefore be prioritized along with the critical flaws.

Many of the flaws that could be targeted by convincing an employee to visit a malicious website or open a specially crafted document sent via email could lead to the installation of malware, backdoors, and result in information disclosure and access being gained to devices with full user rights.  With so many remote working employees during the COVID-19 pandemic, and with hackers targeting those individuals, it is more important than ever for patches to be applied promptly.

Microsoft has also said that it will be delaying end of support for a number of operating systems, software, and services in 2020, to ease the pressure on IT departments at this difficult period of time.

Many IT workers have also been put in a position where they have to work from home and the increased stress of managing IT and providing support to a largely at-home workforce has meant there has been little time to take the required steps to prepare for updates to software and operating systems.

Microsoft, in a recent support article, said “As a member of the global community, we want to contribute to reducing the stress our customers face right now. To that end, we have delayed the scheduled end of support and servicing dates for the following products to help people and organizations focus their attention on retaining business continuity.”

End of support dates have been delayed for the following operating systems, software, and services.

End of support dates for all other software and services scheduled for 2020 remain the same.

Author: Maria Perez