IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft patches three zero-day flaws under active attack

Company's latest Patch Tuesday release targets a total of 113 vulnerabilities

Locks on a screen with one open and in red

Microsoft has patched three vulnerabilities under active attack in its latest Patch Tuesday release.

April's Patch Tuesday is a bumper one, with Microsoft releasing patches for a total of 113 vulnerabilities across 11 products, including three zero-day bugs that were being exploited in the wild.

Two of these "critical" flaws, CVE-2020-0938 and CVE-2020-1020, reside in the Adobe Type Manager Library, and Microsoft previously warned that they were being exploited in "limited attacks".

"A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format," Microsoft explains.

"For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities."

Once successfully executed, Microsoft warns, an attacker could install programmes, view and delete data and create new accounts with full user rights. 

These zero-days, along with CVE-2020-1027 – a bug in the Windows kernel that lets attackers elevate privileges to run code with kernel access that's under active attack – were discovered and reported by Google's Project Zero and the Threat Analysis Group (TAG) security teams. 

Ahead of the release of this month's Patch Tuesday, businesses were advised to brace for a phenomenon called the ‘Fujiwhara effect’, the second of 2020. With Adobe and Oracle also releasing security fixes, Risk Based Security warned that IT administrators could have to process as many as 500 patches, at a time when employees have begun working from home en masse.

“Even for large organizations, processing these new 'Patch Tuesday'disclosures can take weeks, and that’s with a well-funded and coordinated team,” said Risk Based Security. “The hours required for IT security teams to collect, analyze, triage, and then address the coming vulnerabilities will be considerable.

“If there wasn’t enough going on already, organizations must somehow manage the coming vulnerability Fujiwhara effect despite the current business disruption and pressure on security budgets.”

Such a security event is ordinarily rare, with the last one before 2020 occurring in 2014.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Most Popular

The UK's best cities for tech workers in 2022
Business strategy

The UK's best cities for tech workers in 2022

24 Jun 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022