"This month’s Patch Tuesday is another considerable release, with Microsoft fixing 113 vulnerabilities, 19 of them rated as critical and 94 rated as important. Three of these vulnerabilities were exploited in the wild,” Satnam Narang, principal research engineer at Tenable noted in an email to SC Media UK.
Currently exploited vulnerabilities are CVE-2020-1020, CVE-2020-0938, CVE-2020-0968 and CVE-2020-1027. The first two were initially disclosed on March 23 and can be found in the Adobe Font Manager Library and can lead to remote code execution.
Narang adds: "Microsoft released a patch for CVE-2020-1020, a remote code execution vulnerability in the Adobe Font Manager Library that was first made public on March 23, when Microsoft published an advisory detailing its in-the-wild exploitation. Microsoft also patched CVE-2020-0938, another remote code execution vulnerability in Adobe Font Manager Library that was also exploited in the wild. Though both affect Adobe Font Manager Library, there is currently no confirmation that the two are related to the same set of in-the-wild attacks. "To exploit these flaws, an attacker would need to socially engineer a user into opening a malicious document or viewing the document in the Windows Preview pane.
In addition Microsoft patched CVE-2020-0968, a memory corruption vulnerability in Internet Explorer. This flaw exists due to the improper handling of objects in memory by the scripting engine. Narang explains that there are multiple scenarios in which this vulnerability could be exploited. “The primary way would be to socially engineer a user into visiting a website containing the malicious code, whether owned by the attacker, or a compromised website with the malicious code injected into it. An attacker could also socially engineer the user into opening a malicious Microsoft Office document that embeds the malicious code."
“CVE-2020-1027 an elevation of privilege vulnerability in the Windows Kernel. This is another vulnerability that has been seen exploited in the wild and Microsoft rates it as “Exploitation More Likely,” said Allan Liska, intelligence analyst at Recorded Future, adding, “the vulnerability exists in the way that the Windows kernel handles objects in memory and is exploited by a locally authenticated attacker running a specially crafted application.”
Jonathan Cran, head of research at Kenna Security, said Kenna’s data is showing active attacks using CVE 2020-0796, a critical remote code execution vulnerability against SMBv3, and this appears to be a popular target that is easily exploitable.
“Microsoft pulled the patch for this CVE from the March 2020 Patch Tuesday at the last minute, but some information leaked online around it without a patch available. Now that one is available, organisations should quickly update the affected systems,” Cran said.
Todd Schell, senior product manager, Ivanti also highlighted CVE-2020-0935 in OneDrive the vulnerability could allow an attacker to elevate their privilege level which could enable them to run a specially crafted application to take control of the affected system. Most users will not have to worry about updating OneDrive as it has a feature that periodically checks and updates the OneDrive binary.
An earlier version of this story was first published on SC US