4 Windows 0days under active exploit get fixes in this months Update Tuesday

Microsoft has patched four actively exploited vulnerabilities that allow attackers to execute malicious code or elevate system privileges on devices that run Windows.

Two of the security flaws—tracked as CVE-2020-1020 and CVE-2020-0938—reside in the Adobe Type Manager Library, a Windows DLL file that a wide variety of apps use to manage and render fonts available from Adobe Systems. On supported operating systems other than Windows 10, attackers who successfully exploit the vulnerabilities can remotely execute code. On Windows 10, attackers can run code inside an AppContainer sandbox. The measure limits the system privileges malicious code has, but even then, attackers can use it to create accounts with full user rights, install programs, and view, change, or delete data.

Attackers can exploit the flaws by convincing a target to open a booby-trapped document or viewing it in the Windows preview pane. Tuesday’s advisories said that Microsoft is “aware of limited, targeted attacks that attempt to leverage” both vulnerabilities. Microsoft revealed last month that one of the bugs was being exploited in limited attacks against Windows 7 machines.

While installing the newly available patches is the best way to protect vulnerable systems, temporary workarounds for those who need to buy more time include:

• Disabling the Preview Pane and Details Pane in Windows Explorer
• Disabling the WebClient service
• Rename ATMFD.DLL (on Windows 10 systems that have a file by that name), or alternatively, disable the file from the registry

These are the same mitigations that Microsoft recommended in its March advisory. Once the patches are installed, users can roll back the mitigations.

But wait... there’s more

A third zero-day exploit is against CVE-2020-0674, a remote code execution vulnerability in the way that a Windows scripting engine handles objects in memory for Internet Explorer. Microsoft assessed the severity of the vulnerability as critical in all supported versions of Windows except for Windows 10, Windows Server 2019, and Windows Server 2016, where the vulnerability is rated as moderate.

“In a Web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website,” wrote Microsoft in Tuesday’s advisory. “An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”

A stopgap workaround is to restrict access to the JScript.dll file.

The last zeroday exploit targets CVE-2020-1027, an elevation of privilege flaw in the way that the Windows kernel handles objects in memory. Attackers who already have limited system rights on a vulnerable machine can use the exploit to execute malicious code. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.

Microsoft didn’t provide any details about the attacks that are underway against the latter two flaws.

Threat analysis group gets credit

The software maker credited discovery of three of the four of zero-day exploits exclusively to Google’s threat analysis group, which tracks government-backed hack attacks against the company’s users. Credit for the discovery of CVE-2020-0674 was jointly given to the Google group and researchers from Qihoo 360.

Google’s threat analysis group reported the attacks against the Adobe Type Manager flaws on March 23 and, per the company’s disclosure policy for actively exploited bugs, gave Microsoft seven days to fix or disclose the flaw. Google later gave Microsoft an extension to accommodate work slowdowns caused by the novel coronavirus pandemic. Group members plan to issue a report that details the Adobe flaws in the next month or so. It's not clear when the threat analysis group will provide details about the other two vulnerabilities.

Typically, Windows devices in home and smaller-office settings receive patches automatically within 24 hours. It’s always a good idea to make sure updates are installed within that time frame. Administrators in larger organizations face the sometimes-difficult task of testing patches before deploying them to ensure they’re compatible with systems already in place. That task is likely to be harder this month, with the work disruptions caused by COVID-19 infections sweeping the globe.

Comments are closed.