April’s Patch Tuesday this year was a rather large one with 113 different patches released that deal with vulnerabilities on 11 products, including three zero-day bugs in Windows. Microsoft previously released information and mitigation recommendations for one of the vulnerabilities that was being exploited by attackers in the wild. The three zero-day bugs being dealt with are:
CVE-2020-1020 – A vulnerability in the Windows Adobe Type Manager Library makes it possible for attackers to run code on systems that are vulnerable but does not affect Windows 10.
CVE-2020-0938 – This bug also lies in the Windows Adobe Type Manager Library, but the difference is that its existence was not publicly known until the patches were released yesterday. Mitigations released last month to combat CVE-2020-1020 would apparently block attacks relating to CVE-2020-0938 as well.
CVE-2020-1027 – This is a bug in the Windows kernel that lets attackers elevate privileges to run code with kernel access.
There was originally thought to be a fourth zero-day, but Microsoft adjusted some of their patch notes after they were originally released, and they stated CVE-2020-0968 was not a zero-day since it had not actually been exploited in the wild.
While it is unknown at this time who has exploited the zero-days and what type of campaigns they’ve been used in, users should immediately download the patches and update their systems. Attackers will likely take advantage of these bugs again as many users will not get the patches right away. The patches are delivered in bulk, so downloading yesterday’s release will fix the three zero-days along with the other 109 bugs. More information about Patch Tuesday can be found here: https://portal.msrc.microsoft.com/en-us/security-guidance