Microsoft Patch Tuesday Is Here, Fixing 19 Critical Vulnerabilities

• Microsoft April Tuesday Patch is bringing 115 fixes, 19 of which concern critical vulnerabilities.
• The latest patch covers a wide range of Windows applications and components, so updating is essential.
• If you’re still using Windows 7, you are already facing the risk of 232 known vulnerabilities.

Another month has passed, and it’s time for yet another patch Tuesday, so get updating and fixing. The latest batch of updates by Microsoft covers a whopping 115 vulnerabilities, 19 of which concern critical flaws, and another 96 classified as important. As for which Windows components are affected, they include the kernel, font library, Media Foundation, and SharePoint. Here is the list with the most important fixes, as determined by Cisco Talos researchers:

• CVE-2020-0687: Critical RCE (remote code execution) flaw in the Windows font library. This is exploited by tricking the victim into visiting a specially crafted website or by opening a file that contains an affected font as an embedded element.
• CVE-2020-0907: Critical RCE in Microsoft Graphics Components. The opening of a malicious file is what triggers this flaw.
• CVE-2020-0929, CVE-2020-0931, CVE-2020-0932: Critical RCE flaws in Microsoft SharePoint. An attacker could exploit these flaws by uploading a malicious package onto the target SharePoint.
• CVE-2020-0938 and CVE-2020-1020: Critical RCE flaws in Windows Adobe Type Manager Library. The way to exploit these vulnerabilities is by tricking the target into visiting a specially crafted website using IE.
• CVE-2020-0968 and CVE-2020-0970: Critical memory corruption vulnerabilities in the Internet Explorer scripting engine. An attacker can exploit this flaw by leading the target to a specially crafted website while using IE.
• CVE-2020-0969: Critical memory corruption flaw in the Chakra scripting engine of the Microsoft Edge browser. This is exploited by visiting a maliciously crafted website.
• CVE-2020-0760: Important RCE in Microsoft Office, exploited by the opening of a specially crafted document.
• CVE-2020-0784: Important elevation of privilege vulnerability in DirectX. The exploitation of this flaw pre-supposes local access to the target system.
• CVE-2020-0956, CVE-2020-0957, CVE-2020-0958: Important elevation of privilege flaws in the Windows kernel-mode driver. An attacker would need to have local access to the target system in order to exploit these flaws.
• CVE-2020-1004: Important elevation of privilege vulnerability in Windows Graphics Component. An attacker would need to run a malicious application to exploit this flaw.
• CVE-2020-1005: Important information disclosure flaw in the Windows Graphics Component. An attacker can exploit this vulnerability by running a malicious app on the target system.
• CVE-2020-1027: Important elevation of privilege vulnerability in the Windows kernel. For this flaw to be exploited, the attacker would need to authenticate on the target system and then run a malicious application.

With over a hundred fixes waiting on your update pipeline, there’s always a chance that something may go wrong with the installation of the patch. Thus, this should be the right moment to back up your essential data, and only then should you attempt to apply the patch. Finally, if you’re still using Windows 7, this is the second patch that you’re not getting, so it is well beyond time to look elsewhere.