Microsoft patches exploited Windows zero-days

Microsoft's regular Patch Wednesday collection of security fixes for the Windows operating system and related software products closes four serious vulnerabilties classed as zero-days.

Three of the vulnerabilties are currently being exploited by unknown threat actors, Microsoft said.

Two of the flaws affect the Adobe Type Manager Library that ships with Windows, and can be exploited through maliciously-crafted Type 1 Postscript format multiple master fonts.

The vulnerabilities can be triggered by embedding malicious Type 1 fonts into documents and convincing users to open them or look at them in the Windows Explorer preview pane, Microsoft said.

One of the Adobe Type Manager Library flaws, CVE-2020-1020, has been disclosed publicly, Microsoft said.

A third fix is for a memory corruption issue in the Windows kernel, which could be used by locally authenticated attackers to achieve privilege escalation.

All three zero-days were discovered by Google's Project Zero and Threat Analysis Group security researchers.

This month's Patch Wednesday is large, with 113 vulnerabilties taken care of.

Of these, 15 are rated as critical, and 93 as important, with administrators advised to apply patches for the vulnerabilities as soon as possible.

All in all, Patch Wednesday addresses 39 remotely exploitable vulnerabilties, and 38 privilege escalation bugs in Windows and other Microsoft products.