Here’s a brief overview of the most important vulnerabilities disclosed this week, including security updates from Microsoft, Adobe and Oracle.
As part of April Patch Tuesday Microsoft rolled out a batch of security updates to fix 113 vulnerabilities in various products, including three Windows flaws that have been exploited in attacks for arbitrary code execution and privilege escalation.
Two of the zero-days, tracked as CVE-2020-1020 and CVE-2020-0938, reside in the Windows Adobe Type Manager Library and impact all supported versions of Windows, as well as Windows 7.
Another zero-day patched this month is CVE-2020-1027, a Windows kernel flaw which allows a local user to escalate privilege to the system. A local user can use a specially crafted application, trigger memory corruption and execute arbitrary code on the target system with elevated privileges.
The vendor has also addressed high-severity flaws impacting Internet Explorer, Office, Word, MSR JavaScript Cryptography Library, Microsoft Graphics Component and other products.
Adobe issued a mild batch of Patch Tuesday security updates for April covering three products (Adobe Digital Editions, Adobe After Effects, and Adobe ColdFusion) with all vulnerabilities being rated as low and medium. The flaws allowed a remote attacker to carry out a DoS attack, escalate privileges on the system, or to get access to the sensitive information.
This week software supplier Oracle released its quarterly update which includes 397 security patches containing 450 CVE spread over more than 100 products, including Oracle Database Server and Oracle VM Server.
The above mentioned solutions contain several high-risk flaws which allow a remote attacker to execute arbitrary code on a target system.
German industrial manufacturing company Siemens issued advisories regarding several of its products. Siemens KTK, SIDOOR, SIMATIC, and SINAMICS solutions are affected by the CVE-2019-19300 vulnerability using which a remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
Siemens TIM 3V-IE and 4R-IE Family Devices contain a dangerous flaw which allows a remote attacker to gain control over the device.
A high-severity vulnerability (CVE-2020-10639) was found in Eaton HMiSoft VU3, an HMI Operator Interface. This flaw can be used by a remote unauthenticated attacker to trigger stack-based buffer overflow (by tricking a victim into opening a maliciously crafted file) and execute arbitrary code on the target system. In addition, a specially crafted input file could trigger an out-of-bounds read (CVE-2020-10637) when loaded by the affected product.
Cisco has also released a batch of patches for a number of its products. Among the vulnerabilities fixed are critical flaws affecting a variety of Cisco IP phones, Cisco UCS Director and Cisco UCS Director Express for Big Data, Cisco Webex Network Recording Player and Cisco Webex Player, and Cisco Wireless LAN Controller.