Microsoft Patch Tuesday Crushes Three Actively Trafficked Windows 10 Zero-Day Exploits And More
In case you were thinking about holding off applying yesterday's Patch Tuesday update, which requires a system reboot, you should probably go ahead and hit the restart button. This month's cumulative update patches a whopping 113 vulnerabilities, at least three of which are zero-day flaws currently being exploited in the wild.
This is one of the more important Patch Tuesday updates in quite some time, and unlike last month's it comes without revealing any nasty wormable exploits. Out of the 113 bugs it squashes, 19 of them are labeled as critical, the most severe rating Microsoft assigns, and the other 94 are all labeled as important.
The collection of updates also address numerous products, including Windows, Edge (both the newer Chromium-based version and the older EdgeHTML build), Internet Explorer, Office and Office Services and Web Apps, Windows Defender, Visual Studio, Microsoft Dynamics, and Microsoft Apps for Android and Mac.
Some sites are reporting that ther are four zero-day flaws fixed in this collection. According to KrebsonSecurity, however, one of those is a critical IE flaw that has since been revised to indicate there are no reports of it being actively exploited. That could change soon, though, as Microsoft warns in its advisory.
One of the zero-day exploits is another bug related to the Adobe Font Manager library (CVE-2020). This one can be exploited remotely, and was first detailed by Microsoft last month when it was first observed being used in attacks.
There's also a second zero-day flaw in the Adobe Font Manager (CVE-2020-0938), which does not appear to be related the other one. The last of three is one that affects Windows 10 and Windows 7 PCs (CVE-2020-1027).
"An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions," Microsoft explains.
Microsoft also notes that this one requires the attacker to have local authentication to run a specially crafted application. So in that regard, it is not quite as serious as the others.