This article is more than 1 year old
April 2020 and – rest assured – your Windows PC can still be pwned by something so innocuous as an unruly font
Adobe and Intel add their woes
Microsoft has delivered another epic Patch Tuesday, dropping fixes for more than 100 security bugs, and Adobe and Intel have added their dose of misery and security too.
April showers from Redmond
The April edition of Patch Tuesday sees the release of fixes for 113 CVE-listed bugs. Four really important ones are already being exploited in the wild. Of those, two target font code ,another goes for an old VBScript error and the last one requires local access.
"In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website," Microsoft warns.
"An attacker could also embed an ActiveX control marked 'safe for initialization' in an application or Microsoft Office document that hosts the IE rendering engine."
A fifth flaw, (CVE-2020-0935) was publicly disclosed but not exploited in the wild. That flaw was an elevation of privilege bug in OneDrive.
The massive patch load is no accident, say experts.
"If you feel like there have been a lot of patches this year, you’re not wrong," notes Dustin Childs of the Trend Micro Zero Day Initiative. "Microsoft has seen a 44 per cent increase in the number of CVEs patched between January to April of 2020 compared to the same time period in 2019."
As per usual, browser bugs make up most of this month's critical updates. Flaws in Redmond's Media Foundation, Chakra Scripting Engine, and SharePoint account for the lion's share of the critical-rated issues this month.
Of more interest are the critical flaws in Hyper-V (CVE-2020-0910) and VBScript (CVE-2020-0967) that allow remote code execution via a guest account or a VBScript engine code break.
Meanwhile, Adobe skipped updates for Flash this month, opting instead to put out fixes for a local privilege escalation flaw in ColdFusion, an information disclosure hole in After Effects, and an information disclosure flaw in Digital Editions.
Six Intel updates
Over in the realm of Chipzilla, we have six patches for various firmware flaws.
They include escalation of privilege flaws in the NUC firmware, escalation of privilege bugs in the Intel Binary Configuration Tool, escalation of privilege errors in the Modular Server Compute Module , Denial of Service bugs in the Driver and Support Assistant, and elevation of privilege flaw in ProSet/Wireless Wifi, and an escalation of privilege error in the Intel Data Migration Software. ®