Microsoft addressed 113 CVEs in the April 2020 Patch Tuesday release, marking the second month in a row that Microsoft has patched over 100 CVEs; the March 2020 Patch Tuesday contained fixes for 115 CVEs. Of the 113 CVEs, 19 were rated as critical. Two vulnerabilities were publicly disclosed prior to Patch Tuesday. Initially, we reported that four vulnerabilities were exploited in the wild. However, Microsoft updated the exploit status for one of those vulnerabilities, decreasing the count to three.
Microsoft released a patch for CVE-2020-1020, a remote code execution vulnerability in the Adobe Font Manager Library that was first made public on March 23, when Microsoft published an advisory detailing its in-the-wild exploitation. Microsoft also patched CVE-2020-0938, another remote code execution vulnerability in Adobe Font Manager Library that was also exploited in the wild. Though both affect Adobe Font Manager Library, there is currently no confirmation that the two are related to the same set of in-the-wild attacks.
To exploit these flaws, an attacker would need to socially engineer a user into opening a malicious document or viewing the document in the Windows Preview pane.
Additionally, Microsoft patched CVE-2020-0968, a memory corruption vulnerability in Internet Explorer. This flaw exists due to the improper handling of objects in memory by the scripting engine. There are multiple scenarios in which this vulnerability could be exploited. The primary way would be to socially engineer a user into visiting a website containing the malicious code, whether owned by the attacker, or a compromised website with the malicious code injected into it. An attacker could also socially engineer the user into opening a malicious Microsoft Office document that embeds the malicious code.