April’s Patch Tuesday this year was a rather large one with 113 different patches released that deal with vulnerabilities on 11 products, including three zero-day bugs in Windows. Microsoft previously released information and mitigation recommendations for one of the vulnerabilities that was being exploited by attackers in the wild. The three zero-day bugs being dealt with are:
CVE-2020-1020 – A vulnerability in the Windows Adobe Type Manager Library makes it possible for attackers to run code on systems that are vulnerable but does not affect Windows 10.
CVE-2020-0938 – This bug also lies in the Windows Adobe Type Manager Library, but the difference is that its existence was not publicly known until the patches were released yesterday. Mitigations released last month to combat CVE-2020-1020 would apparently block attacks relating to CVE-2020-0938 as well.
CVE-2020-1027 – This is a bug in the Windows kernel that lets attackers elevate privileges to run code with kernel access.
There was originally thought to be a fourth zero-day, but Microsoft adjusted some of their patch notes after they were originally released, and they stated CVE-2020-0968 was not a zero-day since it had not actually been exploited in the wild.