Microsoft has released about 113 security bug fixes for Windows and Office in their April 2020 dump of patches on ‘Patch Tuesday’.
The main change is a block on external references in VBA code, a change that hasn’t been fully documented.
These security fixes will be pushed out via Windows Update in the usual way. Cautious users might like to pause Windows Update for a few weeks to avoid any problems caused by the patches .. an all too common problem.
Two ways to stop Office automatic updates
Why updating Office is like the Kobayashi Maru a ‘no win scenario’
Some of the security bugs that caught our eye …
Excel, Word and Office remote code execution bugs
There are two Excel security patches to block ways to run code from within a workbook: CVE-2020-0979 and CVE-2020-0906 plus one in Word CVE-2020-0980
Office generally has two more ‘remote code execution’ patches; CVE-2020-0991 and CVE-2020-0760 plus an elevation of privilege patch CVE-2020-0984
Jet database engine
Jet is the database heart of Office products, especially Access and Excel. Security bugs in Jet are a serious concern because the system, while hidden ‘under the hood’ is widely used.
April 2020 sees TEN security problems fixed:
Graphics Remote Code bug
The Graphics engine is another vital part of Windows and Office. Any time an image or graphic is put on the screen, the graphics engine is involved. Hackers love making images which trick the engine into running other code.
This month there’s a dozen security patches released.
Most attention is on the Adobe Font Manager fixes: CVE-2020-1020 and CVE-2020-0938
There’s a Critical flag on CVE-2020-0687 a remote code execution bug.
And there’s more!
Many security patches for Windows Media Foundation, three are marked ‘Criticial’. A Codecs library critical security bug.
Even a ‘elevation of privilege’ bug in OneDrive for Windows, CVE-2020-0935
Microsoft is to blame for WannaCrypt/ransomware and lots of other troubles
Two ways to stop Office automatic updates
Another month, another load of Office security patches
Why Office security patches should always be installed