[SingCERT] Microsoft April 2019 Patch Tuesday

Published on 10 Apr 2019

Updated on 23 Oct 2019

Background

Microsoft has announced the release of over 74 security patches to address vulnerabilities affecting its operating system and products.

The following vulnerabilities were rated critical and require immediate attention:

  • CVE-2019-0739, CVE-2019-0806, CVE-2019-0812, CVE-2019-0829, CVE-2019-0861 - These vulnerabilities exist in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. Successful exploitation of these vulnerabilities could corrupt memory and allow an attacker to execute arbitrary code in the context of the current user.
  • CVE-2019-0786 - This vulnerability exists in the Microsoft Server Message Block (SMB) Server when an attacker with valid credentials attempts to open a specially crafted file over the SMB protocol on the same machine. Successful exploitation of the vulnerability could allow the attacker to bypass certain security checks in the operating system.
  • CVE-2019-0790, CVE-2019-0791, CVE-2019-0792, CVE-2019-0793, CVE-2019-0795 - These vulnerabilities exist when the Microsoft XML Core Services MSXML parser processes user input. Successful exploitation of these vulnerabilities could allow the attacker to run malicious code remotely to take control of the system.
  • CVE-2019-0845 - This vulnerability exists when the IOleCvt interface renders ASP webpage content. Successful exploitation of the vulnerability could allow the attacker to run malicious code remotely to take control of the system.
  • CVE-2019-0853 - This vulnerability exists in the way that the Windows Graphics Device Interface handles objects in the memory. Successful exploitation of the vulnerability could allow the attacker to take control of the affected system. An attacker could then install programs, create new accounts with full user rights, or view, change, and delete data.
  • ADV190011 - These Adobe vulnerabilities could allow an attacker to execute arbitrary code through a specially crafted website targeting users using Internet Explorer on desktop.
For the full list of security updates released by Microsoft, please visit https://portal.msrc.microsoft.com/en-us/security-guidance.

Affected Products

The security release contains updates for the following software:

  • Adobe Flash Player
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • ChakraCore
  • ASP.NET
  • Microsoft Exchange Server
  • Team Foundation Server
  • Azure DevOps Server
  • Open Enclave SDK
  • Windows Admin Center
Impact

Successful exploitation of these critical vulnerabilities could allow attackers to perform remote code execution and take control of the affected system to perform malicious activities, including unauthorised installation of programs, creating rogue administrator accounts and viewing, changing, or deleting data.

Recommendations

Users and system administrators of affected products are advised to apply the security updates immediately.

References

https://portal.msrc.microsoft.com/en-us/security-guidance

https://www.bleepingcomputer.com/news/microsoft/microsofts-april-2019-patch-tuesday-fixes-74-vulnerabilities/

https://www.bleepingcomputer.com/news/security/adobe-releases-april-2019-security-updates-for-flash-shockwave-and-more/