Microsoft patches 113 vulnerabilities, including three zero-days, in April 2020 Patch Tuesday update

Two of the three zero-days were disclosed by Microsoft last month

Microsoft has released its April 2020 Patch Tuesday update, addressing a total of 113 security vulnerabilities across 11 products and platforms.

Of the 113 security flaws fixed this month, 19 are rated as 'critical', while the rest are 'important' bugs.

Overall, the security update includes patches for Microsoft Windows, Windows Defender, Microsoft Dynamics, Visual Studio, ChakraCore, Microsoft Edge (Chromium- and EdgeHTML-based versions), Internet Explorer, Microsoft Office, Microsoft Office Services and Web Apps, Microsoft Apps for Mac, and Microsoft Apps for Android.

It has released patches for three zero-day flaws that are currently being exploited in the wild by threat actors.

One of them is CVE-2020-1020, a remotely exploitable vulnerability existing in the Adobe Font Manager library. This flaw was first disclosed last month, when Microsoft revealed that threat actors were using it to launch attacks against chosen targets. This bug lets attackers to remotely execute arbitrary code on vulnerable systems, after they convince a target to open a booby-trapped document or view it in the Windows preview pane.

Another related zero-day is CVE-2020-0938, a remote code execution (RCE) bug that impacts an OpenType font renderer within Windows. The vulnerability arises when the Windows Adobe Type Manager Library improperly handles a specially-created multi-master font - Adobe Type 1 PostScript format.

For all systems running an operating system other than Windows 10, an attacker can remotely execute code after successfully exploiting the vulnerability.

For systems running Windows 10, the bug lets an attacker to execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then create new accounts with full user rights; install programmes; or view, change, or delete data.

The mitigations suggested by Microsoft last month can block attempts from hackers to exploit this bug.

The third zero-day patched by Microsoft yesterday is CVE-2020-1027. This bug exists in the way that the Windows kernel handles objects in memory, enabling attackers to elevate privileges to execute code with kernel access.

Microsoft has also release a patch for critical vulnerability CVE-2020-0968, for which the company issued a correction in it security advisory.

According to the software giant, it has not yet received reports of this bug being used in active attacks, and therefore, it is not a zero-day.