The COVID-19 pandemic might be causing delays to software schedules, but it’s not managed to stop Microsoft’s April Patch Tuesday update arriving on time this week.
That’s just as well because the update’s star fixes address three urgent zero-day flaws that Microsoft says are being exploited in the wild.
In total, the Windows 10, Windows 8.1, Windows 7 and Windows Server haul includes 113 CVE-level flaws, 19 of which are labelled critical.
The zero-day flaws are slightly confusing to unwrap, in the first instance because Microsoft initially said there were four of them before deciding that CVE-2020-0968, a critical Internet Explorer 11 scripting engine issue, wasn’t being exploited yet (but soon might be).
The most straightforward of the zero days is CVE-2020-1027, an elevation of privilege vulnerability affecting Windows kernel which Microsoft confirmed as “exploitation detected.”
Meanwhile, a second CVE-2020-1020 is a remote code execution (RCE) vulnerability affecting the integrated Adobe Type Manager (ATM) OpenType Library that was originally made public in late March without an identifying CVE.
Except that it now turns out to be not one but two CVEs, with a second RCE flaw in the same software, CVE-2020-0938, joining it.
Microsoft hasn’t said how or by whom these flaws are being exploited beyond describing them as being connected to “limited targeted attacks.” That’s code for a flaw that’s being used by one threat group that will eventually spread to others.
There is also one other public but as yet unexploited flaw marked important, CVE-2020-0935, an elevation of privilege issue in OneDrive. The urgency here is that OneDrive is on large numbers of PCs and will make an inviting target for any cybercriminal. While it has its own updating mechanism, it’s still worth checking that this has happened.
Critical vulnerabilities
Ironically, the three zero days above are also marked ‘important’, which is why some admins will pay as much attention to those marked critical such as CVE-2020-0910, a Hyper-V Hypervisor RCE.
SharePoint gets fixes for four urgent RCEs, CVE-2020-0929, CVE-2020-0931, CVE-2020-0932, and CVE-2020-0974 plus CVE-2020-0927, a cross-site scripting (XSS) vulnerability.
A vulnerability in the way the Windows Media Foundation handles objects in memory receives three fixes, CVE-2020-0948, CVE-2020-0949, and CVE-2020-0950.
Adobe
After a long fix list in March, there’s only a handful of CVE-level fixes for ColdFusion, After Effects, and Digital Editions. That said, the company does sometimes issue more urgent fixes between Patch Tuesday updates. Last month it even missed the deadline entirely and issued patches a week later.
Intel
Timed to coincide with Patch Tuesday, Intel has released nine security fixes across a range of products. Two of these are rated critical, a flaw in the company’s NUC mini PC firmware (CVE-2020-0600), and in the Intel Modular Server Compute Module (CVE-2020-0578). Arguably the most wide-ranging is CVE-2020-0557, affecting a long list of the company’s PROSet/Wireless WiFi products.
Oracle
Last is Oracle, which hoses its user base with 405 security fixes, many falling into the top end of critical.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Michael
Thank you