Microsoft and Adobe have released their April Patch Tuesday updates, which this month comprise a relatively modest 74 CVE vulnerabilities, 15 of which are rated ‘critical’.
But there’s still plenty to worry about, which is why a good place to start is with the two zero-day vulnerabilities Microsoft says are being actively exploited.
Zero-days
These are CVE-2019-0803 and CVE-2019-0859, both identical-looking elevation of privileges (EoP) issues in the same Win32k component.
Microsoft offers little detail about the reported exploitation, but both would still require local access which earns them a designation of ‘important’ rather than critical.
That hints that they are probably being chained in conjunction with other vulnerabilities known or unknown which is why patching them should be a top priority.
Criticals and beyond
The 14 Microsoft flaws marked critical – often a euphemism for remote code execution (RCE) – include six in the Edge browser’s Chakra Scripting Engine, which often now seems to generate a lot of patching work.
Add to this another three more RCEs in Microsoft XML CVE-2019-0791, CVE-2019-0792, and CVE-2019-0793 – and the threat posed by attackers who can lure victims to malicious websites through vulnerable browser components is underscored.
Others to patch include CVE-2019-0853, a critical RCE in the Windows Graphics Device Interface (GDI) handles objects in the memory. Ditto CVE-2019-0824, CVE-2019-0825, and CVE-2019-0827, a hat-trick of important-rated flaws affecting the Microsoft Office Access Connectivity Engine, and CVE-2019-0856, an issue in the Windows Remote Registry Service.
We can be less worried about the half dozen flaws in Internet Explorer’s VBScript, a deprecated component that is still in Windows 10, although this should be blocked by default on this version of Windows.
SophosLabs RCE
One flaw is being fixed thanks to Yaniv Frank of the SophosLabs Offensive Research Team (ORT), namely CVE-2019-0845. While fiddly to exploit, it’s an issue in the IOleCvt ActiveX control which could lead to an RCE.
Shockwave no more
After a quiet March, Adobe’s update hits users with a more normal load of updating work, including 21 CVEs – 11 of which are critical fixes for Adobe Reader. There are two vulnerabilities in Flash Player, one of which, CVE-2019-7096, is marked critical.
For anyone who’s forgotten, this month also marks the end of Shockwave Player. The last patched version will be 12.3.5.205 as outlined in APSB19-20. From now on, the only people receiving updates will be licensed enterprises.