This Tuesday, Microsoft released the scheduled Patch Tuesday update for April 2020. This month also brings a huge update bundle with 113 security fixes. It’s even more important as it addresses some bugs under active exploit.
Microsoft Bugs Under Active Attack
This month, Microsoft has addressed four vulnerabilities under active attack.
The first of these is a critical severity vulnerability (CVE-2020-0968) affecting Internet Explorer. It was a memory corruption flaw that allowed a remote attacker to execute arbitrary codes in the context of the current user. This became even more serious if the logged-in user has administrative rights, thus giving admin privileges to the attacker.
The other three are important severity vulnerabilities, of which, one was even publicly disclosed. Regarding this bug (CVE-2020-1020) Microsoft’s advisory describes,
For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Exploiting this bug merely required the attacker to convince the user to open a maliciously crafted file.
Another vulnerability in the Windows Adobe Type Manager Library leading to remote code execution (CVE-2020-0938) was under active attack.
Besides, the fourth vulnerability (CVE-2020-1027) existed in the Windows Kernel allowing elevation of privileges.
Apart from these, Microsoft confirmed public disclosure for another important severity bug (CVE-2020-0935) affecting OneDrive.
Other Microsoft Patch Tuesday April Updates
In addition to the publicly disclosed/exploited bugs, Microsoft also addressed 16 other critical severity vulnerabilities affecting various software. Exploiting these bugs would allow remote code execution apart from the bug in Microsoft SharePoint (CVE-2020-0927) which was an XSS vulnerability.
Microsoft also patched 92 other important severity bugs in different products leading to remote code execution, privilege escalation, information disclosure, and other issues.
Users must ensure they update their devices.