Security News > 2020 > April > April Patch Tuesday: Microsoft Battles 4 Bugs Under Active Exploit

Microsoft has released its April 2020 Patch Tuesday security updates, its first big patch update released since the work-from-home era truly got underway.

"The primary way would be to socially engineer a user into visiting a website containing the malicious code, whether owned by the attacker, or a compromised website with the malicious code injected into it. An attacker could also socially engineer the user into opening a malicious Microsoft Office document that embeds the malicious code."

"If the current user is logged in as admin, an attacker could host a specially crafted website, hosting this vulnerability, once the unpatched user navigates the malicious site, the attacker could then exploit this bug, allowing the attacker to gain remote access the host," he explained.

"Attackers can use this vulnerability to execute their code on affected systems if they can convince a user to view a specially crafted font," according to Dustin Childs, with ZDI, in a Patch Tuesday analysis.

As for attack vector, "To exploit these flaws, an attacker would need to socially engineer a user into opening a malicious document or viewing the document in the Windows Preview pane," he added.

News URL

https://threatpost.com/april-patch-tuesday-microsoft-active-exploit/154794/