Windows 10 users alerted to seven critical vulnerabilities
Microsoft has released the latest bunch of security updates for April, collectively known as Patch Tuesday. Unlike emergency out-of-band updates, the Patch Tuesday update rolls out the same time each month and fixes a swathe of security problems in one fell swoop. Amongst the fixes for some 133 vulnerabilities across a range of Microsoft products in the April update, a few stand out as far as Windows 10 users are concerned. Of the 15 critical vulnerabilities confirmed by Microsoft, seven are for Windows 10. There are also two “zero-day” exploits hitting Windows users, quite literally as they are currently being actively used by attackers.
These Windows ‘zero-day’ exploits are in the wild right now
Let’s start with those actively exploited vulnerabilities, CVE-2020-1020 and CVE-2020-0938, which have been known about now for nearly a month. As I reported on March 23, Microsoft confirmed these Windows vulnerabilities without a fix that were being actively exploited by attackers. At the time Microsoft referred to “limited targeted attacks” and those attacks are still ongoing, exploiting vulnerabilities in the Windows Adobe Font Manager Library. Windows 10 users are at risk of an attacker being able to install programs, view or change data and create new accounts. If you have used any of the workarounds that Microsoft suggested in March, these can be removed once you’ve installed the Patch Tuesday security update that fixes the problem.
Seven critical Windows 10 vulnerabilities confirmed
The full April 2020 update release notes can be found here, but what we know about the seven critical vulnerabilities impacting Windows 10 users is as follows.
CVE-2020-0965 is described as a Microsoft Windows Codecs Library remote code execution vulnerability. It is related to the way that the Codecs Library handles objects in memory and requires a maliciously crafted image file to exploit.
CVE-2020-0910 is a Windows Hyper-V remote code execution vulnerability. It can be used by an attacker running a malicious application on a guest operating system by exploiting an improperly validated input from an authenticated user on that guest system.
CVE-2020-0948, CVE-2020-0949 and CVE-2020-0950 are all memory corruption vulnerabilities that exist in Windows Media Foundation. They can be exploited in multiple ways, including the opening of a malicious document or visiting a malicious web page. A successful attack could lead to program installation, data being changed or deleted, and full user rights accounts being created.
CVE-2020-0687 is a remote code execution vulnerability in the Windows font library. An attacker can exploit this with maliciously crafted fonts via a web-based attack scenario or a file-sharing one. The result in both being control of the attacked system.
CVE-2020-0907 also impacts Microsoft graphic components, specifically in the way that objects in memory are handled. An attacker convincing a user to open a malicious file would be able to execute arbitrary code on the system.
What do you need to do now?
If you have your Windows 10 machine setup with automatic updates enabled, then you could just wait for the updates to arrive and install. However, given that there are seven critical vulnerabilities fixed this month, and those two exploits that are being used in active attacks, it might be an idea to jump the gun. Type “update” into your Windows 10 search bar and go to the check for Windows updates option. This will then force a check for updates to give you the opportunity to download and install immediately. As always, it’s also worth backing up your data before installing any update, just in case there are any bugs, which wouldn’t be unheard of when it comes to Windows updates after all. The vital thing, though, is that you do update whether that is sooner, as recommended by both me and the U.S. government, or later.