Seventy-four Microsoft vulnerabilities fixed in April Patch Tuesday

Adobe has also released seven updates fixing 43 security flaws - but Shockwave will remain unpatched against seven critical vulnerabilities

A total of 74 vulnerabilities have been fixed in this month's Patch Tuesday, with 15 of the fixed flaws being labelled ‘critical'.

The patches being applied via Microsoft's Update service include fixes for critical flaws, inevitably, in Adobe Flash (CVE-2019-7108 and CVE-2019-7096), while the rest affect various elements of Windows and Windows Server.

This month's Patch Tuesday also includes patches for two zero-day security flaws in Windows - security flaws that are being exploited in the wild right now.

They are CVE-2019-0803 and CVE-2019-0859 and are applicable pretty much across the board, from Windows 7 to the latest version of Windows 10, and including multiple iterations of Windows Server.

CVE-2019-0803 was uncovered by Donghai Zhu of Alibaba Cloud, while CVE-2019-0859 is attributed to Kaspersky's Vasily Berdnikov and Boris Larin.

We got updates from Microsoft, Adobe, Wireshark, Oracle (dropping on April 16), and Opera. We also have a boat-load of end-of-life notices

Both are the elevation of privilege vulnerabilities that occur when the Win32k component fails to properly handle objects in memory. "An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode... then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft has warned.

There are currently no further details about exploits or how these two critical security flaws have been used. However, ZDNet's Catalin Cimpanu has conjectured that, like five previous security flaws reported to Microsoft by Kaspersky over the past six months, these security flaws are being exploited by nation-state attackers.

The Adobe Flash security flaws - if you're still running Flash - can lead to information disclosure and arbitrary code execution and affects the Flash Player across MacOS, Linux and ChromeOS, as well as Windows. There are a number of other sundry Adobe security flaws that have also been reported, including seven for Shockwave. However, as Shockwave has been discontinued, there are no patches to cover these flaws.

Chris Goettl, director of product management, security at IT service management firm Ivanti, described April's slew of patches - some of which will land next week - as "crazy".

"We got updates from Microsoft, Adobe, Wireshark, Oracle (dropping on April 16), and Opera. We also have a boat-load of end-of-life notices, which raise a number of security concerns that are very timely to discuss, given the recent Arizona Tea ransomware attack that brought the company to a grinding halt.

"Microsoft has released 15 updates resolving 74 unique CVEs this month. These updates affect the Windows OS, Internet Explorer and Edge browsers, Office, SharePoint and Exchange. Two of the vulnerabilities (CVE-2019-0803 and CVE-2019-0859) resolved in the Windows OS are being used in exploits in the wild. These are Win32k elevation-of-privilege vulnerabilities that could allow a locally authenticated attacker to run arbitrary code in kernel mode.

"Adobe has released seven total updates resolving 43 unique CVEs. Adobe Reader, Acrobat, AIR, Flash, and Shockwave are the most concerning here. You can get updates for Reader, Acrobat, AIR, and Flash, but Shockwave has reached its end-of-life so no update is available for its seven critical vulnerabilities."

Obsolete software is a considerable risk to your environment and needs to be addressed even if removal is not the immediate answer

In addition to removing Shockwave from any PC environment as a matter of urgency, Goettl urged IT departments to update Wireshark as a priority, too. "Wireshark is one of those overlooked IT tools that can pose a significant risk to your environment. Ensure it gets updated or removed where it is no longer needed," advised Goettl.

He continued: "Obsolete software is a considerable risk to your environment and needs to be addressed even if removal is not the immediate answer. Have a plan in place to mitigate the risk if elimination is not possible."

Goettl also advised on IT security actions with regard to the patches for the next week or three:

• Patch the Windows OS and browsers;
• Patch Adobe Reader, Acrobat, AIR and Flash;
• Remove Shockwave from your environment unless you have a continued support contract with Adobe to receive updates;
• Patch Wireshark;
• Investigate the Office, SharePoint, and Exchange updates and get them rolled out in a reasonable timeframe; and,
• Review end-of-life software in your environment and have an action plan in place to eliminate or mitigate risks. I would suggest:
  • Remove it (best option);
  • Virtualize the workloads;
  • Reduce access;
  • Segregate from the rest of your environment; and,
  • Limit or remove internet connectivity to those workloads

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.