Threat Research

Microsoft fixes 74 bugs in its April, 2019 Patch Tuesday releases

There are 16 Microsoft bugs marked as critical, as well as serious flaws in Adobe Flash and Acrobat that require immediate attention

April’s Patch Tuesday release from Microsoft includes fixes for 74 security vulnerabilities found in Windows and other Microsoft products. 16 of the bugs were labeled as critical fixes by Microsoft.

Simultaneously, Adobe published updates for its Flash plugin and for the Acrobat and Adobe Reader software, in addition to patches for the Shockwave player, InDesign, DreamWeaver, and several other enterprise applications. The fixes to Flash and Acrobat both resolve a number of serious bugs, some of which can result in the execution of arbitrary code on the victim’s computer if the victim views a maliciously crafted Flash app or opens a weaponized PDF document using one of the vulnerable versions of these tools. It’s possible that the Adobe bugs may be exploited on operating systems other than just Windows, such as MacOS, Chrome OS, or Linux. These Adobe applications are not updated through Microsoft’s Update mechanism and require users to visit Adobe’s website to download the updates.

A total of 13 of these new Microsoft bugs are elevation of privilege (EoP) flaws, a vulnerability class that allows an attacker with initial access to a system to gain more control over it. Two EoP flaws, patched during earlier Patch Tuesday releases (CVE-2019-0803 and CVE-2019-0859), have apparently been spotted being exploited in the wild according to Microsoft, which is why it is so important to install these updates as soon as possible.

Another 13 remote code execution vulnerabilities affect the two Microsoft web browsers, Edge and Internet Explorer.

It’s worth reminding readers that the availability of patches does not mean that your computer has installed them, yet. To find and download this month’s Cumulative Update patch yourself, search for the term “2019-04” at the Microsoft Update Catalog website.

Here are some details about the most notable vulnerabilities fixed in this month’s release:

Windows Virtual Store

CVE-2019-0730, CVE-2019-0731, CVE-2019-0796, CVE-2019-0805, CVE-2019-0836, CVE-2019-0732

As a result of a concentrated effort to uncover bugs in the Windows Virtual Store Driver (also known as LUA File Virtualization – luafv.sys), Microsoft fixed 6 bugs in this component.

The bugs exist in the programmatic interface between user programs and the high-privilege Windows Virtual Store driver, in code paths that are unreachable by network services, web browsers, or document readers. These bugs fall under the Elevation of Privilege classification.

Edge Web Browser

CVE-2019-0806, CVE-2019-0810, CVE-2019-0812, CVE-2019-0829, CVE-2019-0860, CVE-2019-0861

Now to the regularly scheduled batch of newly fixed security vulnerabilities in the JIT component of Edge’s JavaScript engine Chakra.

After many dozens of critical security bugs have been found in this same component, it seems that Microsoft’s decision to replace Edge’s internals with Chromium’s is a wise one, at least for the purposes of security.

A remote attacker, running a malicious website, could exploit any of these to gain control of a Windows machine unlucky enough to browse to it via Edge.

VBScript

CVE-2019-0739, CVE-2019-0752, CVE-2019-0753, CVE-2019-0793, CVE-2019-0794, CVE-2019-0862

Another vulnerability-prone engine receives 6 bug fixes.

These bugs are as risky to affected systems as any other browser vulnerability, but the good news is that on up-to-date Windows systems, VBScript is only supported by the deprecated Internet Explorer browser, and even then it’s blocked for Internet sites by default.

Users that did not go out of their way to enable VBScript support on their browser should not be concerned about getting compromised by these bugs. Users who did, well, you (or a network administrator) should really turn that off by toggling the Group Policy setting titled Allow VBScript to run in Internet Explorer to Disabled. You can find this policy item in the Group Policy tool (gpedit.msc) under Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Internet Zone

IOleCvt Interface

CVE-2019-0845

This extremely hard-to-exploit buffer overflow bug in the OlePrn.OleCvt ActiveX control probably should not bother anyone, and does not normally warrant a mention here – except for the fact it was found and reported to Microsoft by the SophosLabs Offensive Security Research team! Expect more in the future.

Sophos coverage

Sophos has released following detection to address the vulnerabilities mentioned above.   Please note that additional vulnerabilities and corresponding detection may be released in the future.

CVE

SAV

IPS

Intercept-X

CVE-2019-0753

Exp/20190753-A

2201101

N/V

CVE-2019-0793 Exp/20190793-A

2201102

N/V
CVE-2019-0803 Exp/20190803-A

N/A

N/V
CVE-2019-0806 Exp/20190806-A

3310803

N/V
CVE-2019-0812 Exp/20190812-A 3310801

N/V

CVE-2019-0859 Exp/20190859-A N/A

N/V

 

N/V = Not Validated. The PoC code provided with MAPP advisories does not include active exploits and as such is not applicable to Intercept X testing. The IX ability to block the exploit depends on actual exploit weaponization approach which we won’t see until it’s spotted in the wild. The SAV and IPS detections developed for the PoCs do not guarantee interception of in-the-wild attacks 

Additional IPS Signatures

CVE
Signature
   
CVE-2019-0752

2201100

CVE-2019-0794

2201103

CVE-2019-0801 3310804
CVE-2019-0810 3310802
CVE-2019-0822 3310800
CVE-2019-0829 9000848

CVE-2019-0860

9000850

CVE-2019-0861

9000851

CVE-2019-0862

9000852

 

How long does it take to have Sophos detection in place?

We aim to add detection to critical issues based on the type and nature of the vulnerabilities as soon as possible. Please note that some detection might not be available due to the availability of the data.

It is mostly not possible to test with Intercept-X due to the nature of the data we receive.

What if the vulnerability/0-day you look for is not covered above?

The most likely reason for this is we did not receive enough information about the vulnerability to create detection.

Please ask your question in the comment area; Licensed customers can directly contact Sophos support with questions or concerns about your protection for any vulnerability/0-day (part of the latest MS/Adobe release or from the wild) which is not covered or not fully explained here. We will respond to your inquiry as soon as possible.