Microsoft’s new Patch Tuesday update for April fixes 113 vulnerabilities across 11 different Microsoft products. Included in the vulnerability fixes are patches for three unique zero-day bugs that are being exploited on Windows PCs.[Tweet “Included in the vulnerability fixes are patches for three unique zero-day bugs that are being exploited on Windows PCs.”]
These zero-day bugs include CVE-2020-1020 – an exploitable vulnerability that exists in the Adobe Type Manager Library where a hacker can execute code on the target system remotely. This exploit was first discovered around two weeks ago.
The exploit allows hackers to install programs as well as view, change and even delete user data via the creation of accounts with full admin rights. Cybercriminals are using malware in malicious email documents to use this exploit. Windows 10 is currently the only OS that resists full remote control but does allow limited privilege to hackers.
Another bug, CVE-2020-0938, is almost identical to the exploit above as it takes place in the same Adobe Manager Library. It also works through the user opening a malicious document, usually through email.
Microsoft has since published mitigation methods that can be applied to both CVE-2020-0938 and CVE-2020-1020, effectively blocking these exploits.
The final active exploit is CVE-2020-1027, which allows cybercriminals to execute code with elevated permissions. The bug lays in the way Windows Kernel handles objects in memory – hackers run a specially crafted application to exploit this flaw.
The April 2020 security release consists of security updates for the following software:
- Microsoft Windows
- Microsoft Edge (EdgeHTML-based)
- Microsoft Edge (Chromium-based)
- Internet Explorer
- Microsoft Office and Microsoft Office Services and Web Apps
- Windows Defender
- Visual Studio
- Microsoft Dynamics
- Microsoft Apps for Android
- Microsoft Apps for Mac
Edited by Luis Monzon
Follow Luis Monzon on Twitter
Follow IT News Africa on Twitter