Microsoft patches 4 Windows 0days under active exploit

[InfoSec News <alerts () infosecnews org>]

https://arstechnica.com/information-technology/2020/04/4-windows-0days-under-active-exploit-get-fixes-in-this-months-update-tuesday/

By Dan Goodin
Ars Technica
4/14/2020

Microsoft has patched four actively exploited vulnerabilities that allow 
attackers to execute malicious code or elevate system privileges on devices 
that run Windows.

Two of the security flaws—tracked as CVE-2020-1020 and CVE-2020-0938—reside in 
the Adobe Type Manager Library, a Windows DLL file that a wide variety of apps 
use to manage and render fonts available from Adobe Systems. On supported 
operating systems other than Windows 10, attackers who successfully exploit the 
vulnerabilities can remotely execute code. On Windows 10, attackers can run 
code inside an AppContainer sandbox. The measure limits the system privileges 
malicious code has, but even then, attackers can use it to create accounts with 
full user rights, install programs, and view, change, or delete data.

Attackers can exploit the flaws by convincing a target to open a booby-trapped 
document or viewing it in the Windows preview pane. Tuesday’s advisories said 
that Microsoft is “aware of limited, targeted attacks that attempt to leverage” 
both vulnerabilities. Microsoft revealed last month that one of the bugs was 
being exploited in limited attacks against Windows 7 machines.

While installing the newly available patches is the best way to protect 
vulnerable systems, temporary workarounds for those who need to buy more time 
include:

[...]

--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_