Microsoft April 2020 Patch Tuesday comes with fixes for three zero-days

Microsoft rhis week published its monthly roll-up of security updates known as Patch Tuesday.This month’s updates are a bulky release. The OS maker made available patches today for 113 vulnerabilities across 11 products, including three zero-day bugs that were being actively exploited in the wild.

As always, details remain scant for the time being. Details about zero-day attacks are usually kept under wraps for days or weeks, to give users time to patch and prevent attackers from developing proof-of-concept code.

The three zero-days patched this month are:

CVE-2020-1020 – A vulnerability in the Windows Adobe Type Manager Library lets attacker run code on vulnerable systems. Attacks can be executed remotely. The zero-day does not impact Windows 10. Details about this zero-day became public last month, but a patch was only released today.
CVE-2020-0938 – This is a second bug in the same Windows Adobe Type Manager Library. Bug somewhat similar to the one above, but its existence was disclosed only today, unlike the first one. The Microsoft mitigations published last month, if applied, also blocked attacks exploiting this second bug.
CVE-2020-1027 – A bug in the Windows kernel lets attackers elevate privileges to run code with kernel access.
CVE-2020-0968 – ̶A̶ ̶b̶u̶g̶ ̶i̶n̶ ̶t̶h̶e̶ ̶I̶n̶t̶e̶r̶n̶e̶t̶ ̶E̶x̶p̶l̶o̶r̶e̶r̶ ̶s̶c̶r̶i̶p̶t̶i̶n̶g̶ ̶e̶n̶g̶i̶n̶e̶ ̶c̶a̶n̶ ̶a̶l̶l̶o̶w̶ ̶a̶t̶t̶a̶c̶k̶e̶r̶s̶ ̶t̶o̶ ̶t̶a̶k̶e̶ ̶c̶o̶n̶t̶r̶o̶l̶ ̶o̶f̶ ̶a̶ ̶r̶e̶m̶o̶t̶e̶ ̶s̶y̶s̶t̶e̶m̶.̶   Microsoft issued a correction on the CVE-2020-0968 security advisory to update its exploitation status. This bug has not been exploited in the wild before, hence, it is not a zero-day. Article content and title updated accordingly.

According to Microsoft, the first three zero-days were discovered and reported by Google’s two security teams — Project Zero and the Threat Analysis Group (TAG).

Lacking any other details, it is currently unclear if the three zero-days have been used by the same threat actor, or in the same hacking campaign.

Since Patch Tuesday updates are delivered in bulk, installing today’s updates fixes all three zero-days at once, along with the 109 other security bugs.

Additional information about this month’s Patch Tuesday is included below, including links to security fixes published by other companies:

Microsoft’s official Security Update Guide portal lists all security updates in a filterable table.
ZDNet has also put together this page listing all security updates on one single place.
Adobe’s security updates are detailed here.
SAP security updates are available here.
VMWare security updates are available here.
Google Chrome security updates were released last week, on April 7.
Oracle’s second CPU this year is available here.
The Android Security Bulletin for April 2020 is detailed here. Patches started rolling out to users’ phones last week.

Tag CVE ID CVE Title
Android App CVE-2020-0943 Microsoft YourPhone Application for Android Authentication Bypass Vulnerability
Apps CVE-2020-1019 Microsoft RMS Sharing App for Mac Elevation of Privilege Vulnerability
Microsoft Dynamics CVE-2020-1050 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
Microsoft Dynamics CVE-2020-1018 Microsoft Dynamics Business Central/NAV Information Disclosure
Microsoft Dynamics CVE-2020-1049 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
Microsoft Dynamics CVE-2020-1022 Dynamics Business Central Remote Code Execution Vulnerability
Microsoft Graphics Component CVE-2020-0952 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2020-0938 Adobe Font Manager Library Remote Code Execution Vulnerability
Microsoft Graphics Component CVE-2020-0687 Microsoft Graphics Remote Code Execution Vulnerability
Microsoft Graphics Component CVE-2020-0987 Microsoft Graphics Component Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2020-1004 Windows Graphics Component Elevation of Privilege Vulnerability
Microsoft Graphics Component CVE-2020-1005 Microsoft Graphics Component Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2020-0958 Win32k Elevation of Privilege Vulnerability
Microsoft Graphics Component CVE-2020-0907 Microsoft Graphics Components Remote Code Execution Vulnerability
Microsoft Graphics Component CVE-2020-0982 Microsoft Graphics Component Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2020-0964 GDI+ Remote Code Execution Vulnerability
Microsoft Graphics Component CVE-2020-1020 Adobe Font Manager Library Remote Code Execution Vulnerability
Microsoft Graphics Component CVE-2020-0784 DirectX Elevation of Privilege Vulnerability
Microsoft JET Database Engine CVE-2020-0995 Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine CVE-2020-0999 Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine CVE-2020-0988 Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine CVE-2020-0992 Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine CVE-2020-0994 Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine CVE-2020-0953 Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine CVE-2020-0889 Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine CVE-2020-0959 Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine CVE-2020-0960 Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine CVE-2020-1008 Jet Database Engine Remote Code Execution Vulnerability
Microsoft Office CVE-2020-0979 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office CVE-2020-0980 Microsoft Word Remote Code Execution Vulnerability
Microsoft Office CVE-2020-0984 Microsoft (MAU) Office Elevation of Privilege Vulnerability
Microsoft Office CVE-2020-0760 Microsoft Office Remote Code Execution Vulnerability
Microsoft Office CVE-2020-0991 Microsoft Office Remote Code Execution Vulnerability
Microsoft Office CVE-2020-0961 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
Microsoft Office CVE-2020-0931 Microsoft SharePoint Remote Code Execution Vulnerability
Microsoft Office CVE-2020-0906 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office CVE-2020-0935 OneDrive for Windows Elevation of Privilege Vulnerability
Microsoft Office SharePoint CVE-2020-0927 Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePoint CVE-2020-0923 Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePoint CVE-2020-0925 Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePoint CVE-2020-0924 Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePoint CVE-2020-0932 Microsoft SharePoint Remote Code Execution Vulnerability
Microsoft Office SharePoint CVE-2020-0930 Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePoint CVE-2020-0933 Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePoint CVE-2020-0920 Microsoft SharePoint Remote Code Execution Vulnerability
Microsoft Office SharePoint CVE-2020-0929 Microsoft SharePoint Remote Code Execution Vulnerability
Microsoft Office SharePoint CVE-2020-0971 Microsoft SharePoint Remote Code Execution Vulnerability
Microsoft Office SharePoint CVE-2020-0975 Microsoft SharePoint Spoofing Vulnerability
Microsoft Office SharePoint CVE-2020-0978 Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePoint CVE-2020-0977 Microsoft SharePoint Spoofing Vulnerability
Microsoft Office SharePoint CVE-2020-0976 Microsoft SharePoint Spoofing Vulnerability
Microsoft Office SharePoint CVE-2020-0974 Microsoft SharePoint Remote Code Execution Vulnerability
Microsoft Office SharePoint CVE-2020-0973 Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePoint CVE-2020-0972 Microsoft SharePoint Spoofing Vulnerability
Microsoft Office SharePoint CVE-2020-0954 Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePoint CVE-2020-0926 Microsoft Office SharePoint XSS Vulnerability
Microsoft Scripting Engine CVE-2020-0968 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2020-0966 VBScript Remote Code Execution Vulnerability
Microsoft Scripting Engine CVE-2020-0895 Windows VBScript Engine Remote Code Execution Vulnerability
Microsoft Scripting Engine CVE-2020-0969 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2020-0970 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2020-0967 VBScript Remote Code Execution Vulnerability
Microsoft Windows CVE-2020-0942 Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-0965 Microsoft Windows Codecs Library Remote Code Execution Vulnerability
Microsoft Windows CVE-2020-0940 Windows Push Notification Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-0934 Windows Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1029 Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1011 Windows Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1094 Windows Work Folder Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1016 Windows Push Notification Service Information Disclosure Vulnerability
Microsoft Windows CVE-2020-0794 Windows Denial of Service Vulnerability
Microsoft Windows CVE-2020-1017 Windows Push Notification Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-0944 Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1006 Windows Push Notification Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1009 Windows Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-0981 Windows Token Security Feature Bypass Vulnerability
Microsoft Windows CVE-2020-1001 Windows Push Notification Service Elevation of Privilege Vulnerability
Microsoft Windows DNS CVE-2020-0993 Windows DNS Denial of Service Vulnerability
Open Source Software CVE-2020-1026 MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability
Remote Desktop Client CVE-2020-0919 Microsoft Remote Desktop App for Mac Elevation of Privilege Vulnerability
Visual Studio CVE-2020-0899 Microsoft Visual Studio Elevation of Privilege Vulnerability
Visual Studio CVE-2020-0900 Visual Studio Extension Installer Service Elevation of Privilege Vulnerability
Windows Defender CVE-2020-1002 Microsoft Defender Elevation of Privilege Vulnerability
Windows Defender CVE-2020-0835 Windows Defender Antimalware Platform Hard Link Elevation of Privilege Vulnerability
Windows Hyper-V CVE-2020-0918 Windows Hyper-V Elevation of Privilege Vulnerability
Windows Hyper-V CVE-2020-0910 Windows Hyper-V Remote Code Execution Vulnerability
Windows Hyper-V CVE-2020-0917 Windows Hyper-V Elevation of Privilege Vulnerability
Windows Kernel CVE-2020-0699 Win32k Information Disclosure Vulnerability
Windows Kernel CVE-2020-1027 Windows Kernel Elevation of Privilege Vulnerability
Windows Kernel CVE-2020-1003 Windows Kernel Elevation of Privilege Vulnerability
Windows Kernel CVE-2020-0955 Windows Kernel Information Disclosure in CPU Memory Access
Windows Kernel CVE-2020-1015 Windows Elevation of Privilege Vulnerability
Windows Kernel CVE-2020-1000 Windows Kernel Elevation of Privilege Vulnerability
Windows Kernel CVE-2020-1007 Windows Kernel Information Disclosure Vulnerability
Windows Kernel CVE-2020-0957 Win32k Elevation of Privilege Vulnerability
Windows Kernel CVE-2020-0936 Windows Scheduled Task Elevation of Privilege Vulnerability
Windows Kernel CVE-2020-0956 Win32k Elevation of Privilege Vulnerability
Windows Kernel CVE-2020-0962 Win32k Information Disclosure Vulnerability
Windows Kernel CVE-2020-0821 Windows Kernel Information Disclosure Vulnerability
Windows Kernel CVE-2020-0913 Windows Kernel Elevation of Privilege Vulnerability
Windows Kernel CVE-2020-0888 DirectX Elevation of Privilege Vulnerability
Windows Media CVE-2020-0948 Media Foundation Memory Corruption Vulnerability
Windows Media CVE-2020-0937 Media Foundation Information Disclosure Vulnerability
Windows Media CVE-2020-0949 Media Foundation Memory Corruption Vulnerability
Windows Media CVE-2020-0939 Media Foundation Information Disclosure Vulnerability
Windows Media CVE-2020-0950 Media Foundation Memory Corruption Vulnerability
Windows Media CVE-2020-0946 Media Foundation Information Disclosure Vulnerability
Windows Media CVE-2020-0947 Media Foundation Information Disclosure Vulnerability
Windows Media CVE-2020-0945 Media Foundation Information Disclosure Vulnerability
Windows Update Stack CVE-2020-0996 Windows Update Stack Elevation of Privilege Vulnerability
Windows Update Stack CVE-2020-1014 Microsoft Windows Update Client Elevation of Privilege Vulnerability
Windows Update Stack CVE-2020-0983 Windows Elevation of Privilege Vulnerability
Windows Update Stack CVE-2020-0985 Windows Update Stack Elevation of Privilege Vulnerability

Hot this week

The Hidden Costs of Overengineering Security

Complex security systems often create more vulnerabilities than they prevent by overwhelming teams with noise and maintenance demands while missing actual threats.

The True Cost of Chasing Compliance Over Security

Compliance frameworks create a false sense of security while modern threats evolve beyond regulatory requirements. Learn how to build actual protection rather than just checking boxes.

The Hidden Risk of Over Reliance on AI Security Tools

Over reliance on AI security tools creates dangerous blind spots by weakening human analytical skills. True resilience comes from balancing technology with continuous team training and critical thinking.

The Quiet Dangers of Overlooking Basic Security Hygiene

Basic security hygiene prevents more breaches than advanced tools, yet most teams overlook fundamentals while chasing sophisticated threats.

Your Password Strategy Is Wrong and Making You Less Secure

The decades-old advice on password complexity is forcing users into insecure behaviors. Modern security requires a shift to passphrases, eliminating mandatory rotation, and embracing passwordless authentication.

Topics

The Hidden Costs of Overengineering Security

Complex security systems often create more vulnerabilities than they prevent by overwhelming teams with noise and maintenance demands while missing actual threats.

The True Cost of Chasing Compliance Over Security

Compliance frameworks create a false sense of security while modern threats evolve beyond regulatory requirements. Learn how to build actual protection rather than just checking boxes.

The Hidden Risk of Over Reliance on AI Security Tools

Over reliance on AI security tools creates dangerous blind spots by weakening human analytical skills. True resilience comes from balancing technology with continuous team training and critical thinking.

The Quiet Dangers of Overlooking Basic Security Hygiene

Basic security hygiene prevents more breaches than advanced tools, yet most teams overlook fundamentals while chasing sophisticated threats.

Your Password Strategy Is Wrong and Making You Less Secure

The decades-old advice on password complexity is forcing users into insecure behaviors. Modern security requires a shift to passphrases, eliminating mandatory rotation, and embracing passwordless authentication.

Why API Security Is Your Biggest Unseen Threat Right Now

APIs handle most web traffic but receive minimal security attention, creating massive unseen risks that traditional web security tools completely miss.

Security Teams Are Asking the Wrong Questions About AI

Banning AI tools is a failing strategy that creates shadow IT. Security teams must pivot to enabling safe usage through approved tools, clear guidelines, and employee training.

The Illusion of Secure by Default in Modern Cloud Services

Moving to the cloud does not automatically make you secure. Default configurations often create significant risks that organizations must actively address through proper tools and processes.
spot_img

Related Articles

Popular Categories