Microsoft April Patch Tuesday fixed 113 security vulnerabilities

Microsoft released the April security update patch on Tuesday, fixing 113 security issues from simple spoofing attacks to remote code execution. Products include Android App, Apps, Microsoft Dynamics, Microsoft Graphics Component, Microsoft JET Database Engine, Microsoft Office, Microsoft Office SharePoint, Microsoft Scripting Engine, Microsoft Windows, Microsoft Windows DNS, Open Source Software, Remote Desktop Client, Visual Studio, Windows Defender, Windows Hyper-V, Windows Kernel, Windows Media, and Windows Update Stack.

Microsoft November Patch Tuesday

In this update, Microsoft has fixed a total of 17 critical-level vulnerabilities, some of which are summarized below.

  • CVE-2020-0687: Microsoft Graphics remote code execution vulnerability

The vulnerability is caused by the improper handling of specially crafted embedded fonts by the Windows font library. An attacker may exploit this vulnerability in various ways. One is to exploit the vulnerability by inducing users to visit specially crafted websites in a web-based scenario. The other is to induce users to open specially crafted documents in a file-sharing scenario.

  • CVE-2020-0907: Microsoft Graphics Component Remote Code Execution Vulnerability

There is a remote code execution vulnerability in the processing of objects in memory by Microsoft Graphics Components. This vulnerability is triggered only when the user opens a specially crafted file. An attacker who successfully exploited the vulnerability could execute arbitrary code on the target system.

 To exploit these vulnerabilities, attackers need to upload specially crafted SharePoint packages to the affected version of SharePoint to allow them to execute arbitrary code in the SharePoint application pool and SharePoint server.

When the Windows Adobe Type Manager library handled the multi-master font (Adobe Type 1 PostScript format) improperly, the remote code execution vulnerability appeared. If an attacker exploits this bug on any operating system other than Windows 10, arbitrary code can be executed remotely. On Windows 10, they will be limited to executing code in the AppContainer sandbox with limited privileges.

  • CVE-2020-0968: In Internet Explorer, there is a remote code execution vulnerability in the script engine’s processing of objects in memory. The vulnerability can destroy memory, allowing an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited this vulnerability could gain the same permissions as the current user.

These are the remote code execution vulnerabilities that exist when the ChakraCore script engine and Chakra script engine process objects in memory. Affecting Microsoft Edge (EdgeHTML-based), this vulnerability can destroy memory and allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited this vulnerability could gain the same permissions as the current user.