Application Security & Online Fraud , Governance & Risk Management , Next-Generation Technologies & Secure Development
Microsoft Issues Patches for 3 Zero-Day Vulnerabilities
Software Giant Had Previously Warned 2 Vulnerabilities Were Being ExploitedMicrosoft issued patches for three zero-day vulnerabilities as part of its most recent Patch Tuesday update.
See Also: Finding and Managing the Risk in your IT Estate: A Comprehensive Overview
While one of the zero-day flaws was newly disclosed, Microsoft had previously warned about the other two in March (see: Microsoft Alert: Fresh Zero-Day Flaws Found in Windows).
On Patch Tuesday, Microsoft disclosed a total of 113 vulnerabilities across 11 of its software products. These included 17 that were rated "critical" and another 96 rated as "important."
Between January and April, Microsoft has seen a 44 percent increase in the number of CVE vulnerability patches that the company has issued compared to the same time in 2019, Dustin Childs, a security analyst for Trend Micro’s Zero Day Initiative, notes in a blog post about the latest Patch Tuesday updates.
"Both an increasing number of researchers looking for bugs and an expanding portfolio of supported products likely caused this increase," Childs notes. "It will be interesting to see if this pace continues, especially considering Microsoft will pause optional Windows 10 updates starting next month."
Zero-Day Vulnerabilities
Of the three zero-day vulnerabilities that Microsoft addressed Tuesday, two involve flaws located in the Adobe Type Manager Library, which allows Windows users to render different types of fonts, called PostScript Type 1, within their devices, according to the company.
While Adobe makes versions of the Type Manager Library for both Windows and macOS, the Windows version was improperly handling the PostScript Type 1 fonts, according to an alert Microsft issued in March. This opened up several avenues that attackers can exploit to run arbitrary code within a vulnerable Windows device. The first of these flaws is tracked as CVE-2020-1020, and the second is tracked as CVE-2020-0938.
While Microsoft has now issued patches for both of these vulnerabilities, the company previously noted that attackers were exploiting these flaws mainly in versions of Windows 7 and Office 2010, although versions of Windows 8 and Windows 10 could be affected as well.
Before Microsoft issued the patches, the company described several workarounds to protect vulnerable devices before a fix was ready.
In addition to the patches for the two flaws in Adobe Type Manager Library, Microsoft issued a patch for a flaw located within the part of the Windows kernel that handles objects in memory. That’s tracked as CVE-2020-1027. An attacker who successfully exploited this vulnerability could execute code within the kernel and gain elevated permissions, according to the Microsoft.
Microsoft did not specify if attackers were actively exploiting this zero-day vulnerability in the wild. It was discovered by Google's Project Zero and Threat Analysis Group.