Patch/Configuration Management, Vulnerability Management

April Microsoft Patch Tuesday addresses two actively exploited zero-days


Microsoft April 2019 Patch Tuesday's release included fixes for 74 vulnerabilities, 15 of which were classified as critical and most of which affect the Windows operating system itself and two actively exploited vulnerabilities.

The actively exploited vulnerabilities included two Win32K Elevation of Privilege vulnerabilities on of which was discovered by the Alibaba Cloud Intelligence Security Team and the other discovered by Kaspersky.

Both of the flaws can result in unauthorized elevation of privilege, and affect all supported versions of Windows although an attacker must already have local access to an affected system to use or gain kernel-level code execution capabilities.

However, one of the 32 patched remote code execution (RCE) vulnerabilities could potentially be used with them in an exploit chain to obtain full control of a system.

“Aside from these zero-day privilege escalation flaws, it's a fairly standard Patch Tuesday,” said Greg Wiseman, senior security researcher for Rapid7, “which, of course, still means that there are bugs that should be patched as soon as possible, such as the eight vulnerabilities classified as critical in the scripting engine used by Microsoft browsers, and CVE-2019-0822 (an RCE in Microsoft Office that can be exploited by convincing a user to open a malicious file).”

Microsoft also patched a cross-site scripting (XSS) vulnerability in SharePoint Server in CVE-2019-0831that could, potentially allow an attacker to gain unauthorized access to certain content or perform actions on the site using the victim's identity.

Wiseman added the update also includes fixes for two spoofing attacks against the Outlook Web Access (OWA) component of Microsoft Exchange Server were also released today and added that software development shops should also take note of the multiple XSS vulnerabilities and HTML injection flaws that were fixed in Team Foundation Server.”

Chris Goettl, director of product management, security, for Ivanti said that updates from Microsoft, Adobe, Wireshark, Oracle (dropping on April 16) and Opera, coupled with a boatload of end-of-life notices, raise a number of security concerns that are very timely to discuss given the ransomware attack on Arizona Beverages that grinded the company to a halt.

“Microsoft has released 15 updates resolving 74 unique CVEs this month,” Goettl said. “These updates affect the Windows OS, Internet Explorer and Edge browsers, Office, SharePoint and Exchange.”

Adobe's release of a total of seven updates resolving 43 unique CVEs for Adobe Reader and Acrobat, AIR, Flash and Shockwave are the most concerning, Goettl said. Anyone affected by these flaws should remove Shockwave from their environment since render the majority of Shockwave installs still in existence vulnerable, creating an imminent threat.

In addition, users should also beware of the 10 CVEs released by Wireshark since it is an overlooked IT tool that can pose a significant risk. Users should ensure it is updated or removed where it is no longer needed.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.