UPDATED 21:41 EDT / APRIL 14 2020

SECURITY

Microsoft patches critical vulnerabilities that were being exploited by hackers

Microsoft Corp. today announced it has patched a range of vulnerabilities in its monthly security release, including two critical vulnerabilities discovered March 23 that were being exploited by hackers.

The two remote code execution vulnerabilities are found in the Adobe Type Manager Library (atmfd.dll) that’s used by Windows to render PostScript Type 1 fonts inside of Windows. Attackers were exploiting the vulnerabilities in multiple ways, such as persuading a user to open a specially crafted document or viewing it in the Windows Preview pane.

In total 113 vulnerabilities were addressed in the update, including 17 that were categorized as critical and 96 as important. Patches covered a range of Microsoft products including Windows, Edge, ChakraCore, Office, Office Services, Web Apps, Internet Explorer, Windows Defender, Microsoft Dynamics, Visual Studio, Microsoft Apps for Android and Microsoft Apps for Mac.

The release may not be without installation issues, since millions working remotely via virtual private networks because of the coronavirus pandemic.

Jay Goodman, strategic product marketing manager at the cybersecurity hygiene firm Automox Inc., told SiliconANGLE that “on top of the usual Patch Tuesday stress, we are also in the midst of the most disruptive technological event we have faced. Organizations are being forced into a sudden and shocking increase in the number of remote employees.”

The way most organizations have adapted to this change is to move access to corporate assets to the VPN, but that added burden on VPNs, stretching their resources thin, he said.

“Today’s Patch Tuesday package is sure to further strain VPNs across the world,” he said. “Many organizations are likely to encounter VPN failures and risks from delayed patches reliant on legacy on-premise patch management tools.”

The problem, Goodman added, is that VPNs aren’t designed to extend the information technology perimeter. Doubling down on VPN and legacy on-premise endpoint management solutions would be a knee-jerk reaction that does not take into consideration the long term cost efficiencies of embracing a digital transformation to the cloud,” he said.

In addition to the Adobe Type Manager vulnerabilities, two others stood out as being critical for businesses to apply, according to Todd Schell, senior product manager of security for IT software company Ivanti Inc.

“Microsoft has resolved an Important vulnerability in the Windows Kernel (CVE-2020-1027) which could allow an Elevation of Privilege,” he said. “An attacker could take advantage of how the Windows Kernel handles objects in memory to elevate their permissions and take control of the affected system.”

Another vulnerability in OneDrive (CVE-2020-0935) is described by Schell as allowing attackers to elevate their privilege level, which could enable them to run a specially crafted application to take control of the affected system. “OneDrive has an update feature that periodically checks and updates the OneDrive binary, so most customers should already be protected from this vulnerability,” Schell concluded.

Image: Wallpaperflare

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.