UPDATED 21:41 EDT / APRIL 14 2020


Microsoft patches critical vulnerabilities that were being exploited by hackers

Microsoft Corp. today announced it has patched a range of vulnerabilities in its monthly security release, including two critical vulnerabilities discovered March 23 that were being exploited by hackers.

The two remote code execution vulnerabilities are found in the Adobe Type Manager Library (atmfd.dll) that’s used by Windows to render PostScript Type 1 fonts inside of Windows. Attackers were exploiting the vulnerabilities in multiple ways, such as persuading a user to open a specially crafted document or viewing it in the Windows Preview pane.

In total 113 vulnerabilities were addressed in the update, including 17 that were categorized as critical and 96 as important. Patches covered a range of Microsoft products including Windows, Edge, ChakraCore, Office, Office Services, Web Apps, Internet Explorer, Windows Defender, Microsoft Dynamics, Visual Studio, Microsoft Apps for Android and Microsoft Apps for Mac.

The release may not be without installation issues, since millions working remotely via virtual private networks because of the coronavirus pandemic.

Jay Goodman, strategic product marketing manager at the cybersecurity hygiene firm Automox Inc., told SiliconANGLE that “on top of the usual Patch Tuesday stress, we are also in the midst of the most disruptive technological event we have faced. Organizations are being forced into a sudden and shocking increase in the number of remote employees.”

The way most organizations have adapted to this change is to move access to corporate assets to the VPN, but that added burden on VPNs, stretching their resources thin, he said.

“Today’s Patch Tuesday package is sure to further strain VPNs across the world,” he said. “Many organizations are likely to encounter VPN failures and risks from delayed patches reliant on legacy on-premise patch management tools.”

The problem, Goodman added, is that VPNs aren’t designed to extend the information technology perimeter. Doubling down on VPN and legacy on-premise endpoint management solutions would be a knee-jerk reaction that does not take into consideration the long term cost efficiencies of embracing a digital transformation to the cloud,” he said.

In addition to the Adobe Type Manager vulnerabilities, two others stood out as being critical for businesses to apply, according to Todd Schell, senior product manager of security for IT software company Ivanti Inc.

“Microsoft has resolved an Important vulnerability in the Windows Kernel (CVE-2020-1027) which could allow an Elevation of Privilege,” he said. “An attacker could take advantage of how the Windows Kernel handles objects in memory to elevate their permissions and take control of the affected system.”

Another vulnerability in OneDrive (CVE-2020-0935) is described by Schell as allowing attackers to elevate their privilege level, which could enable them to run a specially crafted application to take control of the affected system. “OneDrive has an update feature that periodically checks and updates the OneDrive binary, so most customers should already be protected from this vulnerability,” Schell concluded.

Image: Wallpaperflare

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy