April’s patch Tuesday release from Microsoft includes fixes for three zero-day vulnerabilities in Windows that are under active attack.
CVE-2020-1020 is a flaw in the Windows Adobe Type Manager Library. According to Microsoft:
For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.
The third zero-day is a privilege escalation tracked as: CVE-2020-1027 which affects most versions of the Windows operating system since Windows 7 and Server 2008.
Overall there are 113 fixes in the April Patch Tuesday bundle from Microsoft.