Microsoft and Adobe have released their April Patch Tuesday updates, which this month comprise a relatively modest 74 CVE vulnerabilities, 15 of which are rated ‘critical’.
But there’s still plenty to worry about, which is why a good place to start is with the two zero-day vulnerabilities Microsoft says are being actively exploited.
Zero-days
These are CVE-2019-0803 and CVE-2019-0859, both identical-looking elevation of privileges (EoP) issues in the same Win32k component.
Microsoft offers little detail about the reported exploitation, but both would still require local access which earns them a designation of ‘important’ rather than critical.
That hints that they are probably being chained in conjunction with other vulnerabilities known or unknown which is why patching them should be a top priority.
Criticals and beyond
The 14 Microsoft flaws marked critical – often a euphemism for remote code execution (RCE) – include six in the Edge browser’s Chakra Scripting Engine, which often now seems to generate a lot of patching work.
Add to this another three more RCEs in Microsoft XML CVE-2019-0791, CVE-2019-0792, and CVE-2019-0793 – and the threat posed by attackers who can lure victims to malicious websites through vulnerable browser components is underscored.
Others to patch include CVE-2019-0853, a critical RCE in the Windows Graphics Device Interface (GDI) handles objects in the memory. Ditto CVE-2019-0824, CVE-2019-0825, and CVE-2019-0827, a hat-trick of important-rated flaws affecting the Microsoft Office Access Connectivity Engine, and CVE-2019-0856, an issue in the Windows Remote Registry Service.
We can be less worried about the half dozen flaws in Internet Explorer’s VBScript, a deprecated component that is still in Windows 10, although this should be blocked by default on this version of Windows.
SophosLabs RCE
One flaw is being fixed thanks to Yaniv Frank of the SophosLabs Offensive Research Team (ORT), namely CVE-2019-0845. While fiddly to exploit, it’s an issue in the IOleCvt ActiveX control which could lead to an RCE.
Shockwave no more
After a quiet March, Adobe’s update hits users with a more normal load of updating work, including 21 CVEs – 11 of which are critical fixes for Adobe Reader. There are two vulnerabilities in Flash Player, one of which, CVE-2019-7096, is marked critical.
For anyone who’s forgotten, this month also marks the end of Shockwave Player. The last patched version will be 12.3.5.205 as outlined in APSB19-20. From now on, the only people receiving updates will be licensed enterprises.
Anonymous
When you recommend these patches, you should mention https://community.sophos.com/kb/en-us/133945. Currently the windows Patches on older systems conflict with running Sophos installations :-(
Anna Brading
Sorry if you’ve been affected by this issue. We are working to fix it asap!
Stephanie Gelder
YEAH but they break PC’s only with Sophos on which is genius any fix or are we literally having to fix each pc one at a time when they die which with 500 pc’s isn’t fun!
Anna Brading
Hi Stephanie, We’re so sorry for the inconvenience. We are working as quickly as we can to get this fixed. Keep at eye on https://community.sophos.com/kb/en-us/133945
Stuart Wright
All our Windows 7 pcs refuse to work after this latest update. This is very annoying.
Anna Brading
We have identified a permanent fix for this issue, and automatic rollouts for customers have already begun. We expect the updates to take place over a two to three week period.