Microsoft patches 4 Windows 0days under active exploit

Enlarge / A man looks at the home screen for the "new" Windows 7 platform when it was launched in October 2009. Microsoft has ended support, but the OS lives on. (credit: Katie Collins - PA Images / Getty Images)

Microsoft has patched four actively exploited vulnerabilities that allow attackers to execute malicious code or elevate system privileges on devices that run Windows.

Two of the security flaws—tracked as CVE-2020-1020 and CVE-2020-0938—reside in the Adobe Type Manager Library, a Windows DLL file that a wide variety of apps use to manage and render fonts available from Adobe Systems. On supported operating systems other than Windows 10, attackers who successfully exploit the vulnerabilities can remotely execute code. On Windows 10, attackers can run code inside an AppContainer sandbox. The measure limits the system privileges malicious code has, but even then, attackers can use it to create accounts with full user rights, install programs, and view, change, or delete data.

Attackers can exploit the flaws by convincing a target to open a booby-trapped document or viewing it in the Windows preview pane. Tuesday’s advisories said that Microsoft is “aware of limited, targeted attacks that attempt to leverage” both vulnerabilities. Microsoft revealed last month that one of the bugs was being exploited in limited attacks against Windows 7 machines.

Read 10 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/2xjw3G1