HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Microsoft Patches Three Actively Exploited Flaws and Delays End of Support for Software and Services

On April 2020 Patch Tuesday, Microsoft released updates to correct 113 vulnerabilities in its operating systems and software solutions, 19 of which have been rated critical. This month’s round of updates includes fixes for at least 3 zero-day vulnerabilities that are being actively exploited in real world attacks.

Two of the actively exploited vulnerabilities were announced by Microsoft in March and Microsoft suggested workarounds to limit the potential for exploitation. The flaws – CVE-2020-0938 and CVE-2020-1020 – both affect the Adobe Font Manager Library and can lead to remote code execution on all supported Windows versions. The flaws are partially mitigated in Windows 10 and could only result in code execution in an AppContainer sandbox with limited privileges and capabilities. The flaws could be exploited if a user is convinced to open a specially crafted document or if it is viewed in the Windows Preview pane.

The third actively exploited zero-day is a Windows Kernel vulnerability that was discovered by Google’s Project Zero team. The flaw, tracked as CVE-2020-1027, could allow remote code execution with elevated privileges. The flaw has been exploited in attacks on Windows 10 devices, but older operating systems are also vulnerable.

A further flaw was initially reported as having been exploited but is now marked as “exploitation likely”. The flaw, tracked as CVE-2020-0968, affects Internet Explorer and concerns how the scripting engine handles objects in the memory.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

A further vulnerability, CVE-2020-0935, which affects OneDrive for Windows, is rated important but it has been publicly disclosed. The flaw is due to improper handling of shortcut links. Exploitation of the flaw would allow an attacker to further compromise systems and execute additional payloads. Since OneDrive is installed on many devices and is being used extensively by remote workers for sharing and storing files, it would be an attractive vulnerability for hackers. It should therefore be prioritized along with the critical and actively exploited flaws.

Many of the vulnerabilities could be exploited by convincing an employee to visit a malicious website or open a specially crafted document sent via email, which could then result in the installation of malware, backdoors, information disclosure, and access to devices with full user rights.  With so many work-from-home employees during the COVID-19 pandemic, and with cybercriminals targeting those individuals, it is more important than ever for patches to be applied promptly.

End of Support Delayed by Microsoft for Windows 10, Windows Server, and Software and Services

Microsoft has also announced that it will be delaying end of support for certain operating systems, software, and services in 2020, to ease the pressure on IT departments at this difficult time.

Many IT workers have also been forced to work from home and the increased stress of managing IT and providing support to a largely at-home workforce has meant there has been little time to take the necessary steps to prepare for updates to software and operating systems.

“As a member of the global community, we want to contribute to reducing the stress our customers face right now. To that end, we have delayed the scheduled end of support and servicing dates for the following products to help people and organizations focus their attention on retaining business continuity,” explained Microsoft in a recent support article.

End of support dates have been extended for the following operating systems, software, and services.

  • Windows 10 1709/1809: April 14, 2020 >> October 13, 2020
  • Windows Server 1809: May 12, 2020 >> November 10, 2020
  • Configuration Manager version 1810: May 12, 2020 >> November 10, 2020
  • SharePoint Server 2010, SharePoint Foundation 2010, and Project Serer 2010: >> May 27, 2020 >> December 1, 2020
  • Dynamics 365 Cloud Services: October 13, 2020 >> April 13, 2021
  • Basic Authentication in Exchange Online: September 2020 >> December 2020

End of support dates for all other software and services scheduled for 2020 remain unchanged.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.