peangdao - stock.adobe.com

Microsoft patches 19 critical bugs in another heavy Patch Tuesday

The volume of vulnerabilities being uncovered by Microsoft remains high, with more than 100 fixes pushed out in April’s Patch Tuesday

Microsoft’s current run of lengthy Patch Tuesday releases shows little sign of ending, with April’s round of bug fixes running to 113 vulnerabilities, slightly below the all-time record, of which 94 are rated important and 19 critical.

The latest release also fixes three zero-day vulnerabilities that are actively being exploited in the wild.

These are listed as CVE-2020-1020, CVE-2020-0938, and CVE-2020-1027. The first two vulnerabilities are both remote code execution flaws that exist in Windows when the Windows Adobe Type Manager Library improperly handles a specially crafted master font – Adobe Type 1 PostScript format. To exploit this, an attacker would have to socially engineer a user into opening a malicious document, or viewing it in the Windows Preview pane.

Richard Melick, senior technical product manager at Automox, a supplier of patch management software, said that April’s Patch Tuesday was not one to skip.

“From increasingly diverse technological environments to a list of unknown connectivity factors, IT and SecOps managers need to create a deployment plan that addresses today’s zero-day, exploited and critical vulnerabilities within 24 hours and the rest within 72 hours to stay ahead of weaponisation.

“Two vulnerabilities stand out among the 113 Microsoft addressed in today’s Patch Tuesday and should be patched within 24 hours. CVE-2020-0938, an exploited zero-day, and CVE-2020-1020, an exploited and publicly disclosed vulnerability, both have the capability to compromise an endpoint all due to an improperly handled font.”

The third zero-day is an elevation of privilege vulnerability in the way Windows Kernel handles objects in memory. Successful exploitation through a specially crafted application would give the attacker the ability to execute code on the target system with elevated privileges.

All three zero-days exist on Windows 7, Server 2008 and Server 2008 R2 versions, said Todd Schell, senior security product manager at Ivanti. “If you are still running on those versions of the Windows OS and have not already looked into Extended Security Updates [ESU] support, you are at increased risk,” he added.

Schell also highlighted another important vulnerability in OneDrive, CVE-2020-0935, which could again enable attackers to elevate their privilege levels and take control of the affected system.

Covid concerns

Jay Goodman, strategic product marketing manager at Automox, said that on top of the run-of-the-mill stress of Patch Tuesday, the wider disruption to the industry caused by the Covid-19 coronavirus pandemic would complicate matters for chief information security officers (CISOs).

“Organisations are being forced into a sudden and shocking increase in the number of remote employees. Most organisations had to rapidly adapt to this change by moving access to corporate assets to the VPN, but this added burden on VPNs already stretches their resources thin,” he said.

“Today’s Patch Tuesday package is sure to further strain VPNs across the world. Many organisations are likely to encounter VPN failures and risks from delayed patches reliant on legacy on-premise patch management tools. VPNs are not designed to extend the IT perimeter and we are now faced with a situation where there is no functional perimeter for your organisation.”

Goodman theorised that many would be tempted to double down on VPN and legacy, on-premise endpoint management services to get around this problem, but called this out as a knee-jerk reaction that might end up costing more in the long run. This may be an excellent opportunity to make the case for the long-term cost efficiencies of embracing cloud services, he said.

Read more about Patch Tuesday

Read more on Application security and coding requirements