Microsoft Patches 3 Zero-Day Exploits, Delays Some End-of-Support

April 15, 2020 - Microsoft released fixes for 113 vulnerabilities found in a range of platforms on Patch Tuesday, including 15 critical flaws, 93 important issues, and three zero-day vulnerabilities. The tech giant also announced it would delay end-of-support for a range of older Windows systems until the COVID-19 pandemic ends.

The tech giant also recently announced moves to support healthcare organizations during the crisis.

Patches have been released for two known vulnerabilities, which Microsoft recently warned hackers were already targeting with remote code execution (RCE) attacks. Found in the Windows Adobe Type Manager Library on all supported platforms running server and desktop releases, a successful exploit would allow a hacker to take control of the device.

The flaw is found in the way the manager library “improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.”

“For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely,” Microsoft warned. “For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities.”

“An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” they added. “There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.”

The tech giant previously provided workarounds, while its security team developed system fixes. Organizations that apply the security update will no longer need to employ the mitigations.

The third zero-day vulnerability patched by Microsoft on Tuesday is found in the improper way Windows kernel handles objects in memory. If exploited, an attacked could obtain information that would allow them to compromise the user’s system.

“To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application,” according to the alert. “The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system.”

“The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory,” it continued. “An attacker could read the contents of Kernel memory from a user mode process.”

The vulnerability was not publicly disclosed before now, and the released update will make exploitation of the flaw less likely.

Microsoft also decided it would delay the end-of-support for Windows 10 version 1709, 1809, and older software and services, in light of the struggles organizations are facing amid the Coronavirus pandemic. It’s just the latest move from the tech giant that could significant help healthcare providers. Microsoft has been working with hospitals impacted by ransomware during the crisis.

Initially, end-of-support for Windows 10 version 1709 was slated for April 14, 2020, which has now been bumped to October 13, 2020, while support for version 1809 for Windows 10 and Server will be moved from May until November 10, 2020.

Support for Configuration Manager version 1810 will now go through December 1, 2020, while support for SharePoint Server, Foundation, and Project Server 2010 will now last through 2021. And Dynamics 365 cloud services has been delayed two months until December 2020.

“The end of support date for Exchange Server 2010, Office 2010, Project 2010, Office 2016 for Mac, and Office 2013 connectivity to the Office 365 services remains the same,” Microsoft wrote.

“Microsoft has been deeply engaged with customers around the world who are impacted by the current public health situation,” they added. “As a member of the global community, we want to contribute to reducing the stress our customers face right now.”

Microsoft will be providing healthcare organizations with free access to its AccountGuard threat notification service to help those on the front lines, as “their work is challenging enough but is being made more difficult by cyberattacks, now or in the future.”

Given many of the successful attacks on healthcare organizations during the pandemic have come through email, the platform should allow providers to better detect these cyberattacks. Microsoft can also provide needed guidance. The move follows several others by security firms seeking to shore up vulnerabilities in the healthcare sector, ensuring care can continue without disruptions.