As part of April's Patch Tuesday, Microsoft has issued fixes for various flaws in its operating system and other software products. In all, 113 vulnerabilities were patched, including 96 deemed “important” and 17 described as “critical”, according to a Bleeping Computer report.
Of the critical flaws, Microsoft claims two allowed for remote code execution and are currently being exploited in the wild: CVE-2020-1020 and CVE-2020-0938. Both abuse a fault in the way Windows Adobe Type Manager Library manages a multi-master font.
Although Windows 7 users were primarily targeted using the exploit, Microsoft said all new iterations (Windows 8, 8.1 and 10, as well as some Windows Server versions) were also vulnerable. Prior to the patch, Microsoft released a workaround, helping the affected maintain a satisfactory level of security before the fix arrived.
“Although the attacks specifically have targeted Windows 7 systems, not all Win7 systems will receive a patch since the OS left support in January of this year. Only those Windows 7 and Server 2008 customers with an ESU license will receive the patch,” noted Dustin Childs of the Trend Micro Zero Day Initiative.