Microsoft has released its monthly batch of security updates that fix 113 vulnerabilities in various products, including three Windows flaws that have been exploited in attacks for arbitrary code execution and privilege escalation.
Two of the zero-days, tracked as CVE-2020-1020 and CVE-2020-0938, reside in the Windows Adobe Type Manager Library and impact all supported versions of Windows, as well as Windows 7.
The two RCE-flaws exist due to a way the Windows Adobe Type Manager Library handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. The vulnerabilities could be exploited by tricking a user into opening a specially crafted document, or viewing it in the Windows Preview pane.
Another zero-day patched this month is CVE-2020-1027, a Windows kernel flaw which allows a local user to escalate privilege to the system. A local user can use a specially crafted application, trigger memory corruption and execute arbitrary code on the target system with elevated privileges.
Microsoft has also addressed high-severity flaws impacting Internet Explorer, Office, MSR JavaScript Cryptography Library, Microsoft Graphics Component and other products.