Published on Wednesday, 10 April 2019 18:25Background
Microsoft has announced the release of over 74 security patches to address vulnerabilities affecting its operating system and products.
The following vulnerabilities were rated critical and require immediate attention:
- CVE-2019-0739, CVE-2019-0806, CVE-2019-0812, CVE-2019-0829, CVE-2019-0861 - These vulnerabilities exist in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. Successful exploitation of these vulnerabilities could corrupt memory and allow an attacker to execute arbitrary code in the context of the current user.
- CVE-2019-0786 - This vulnerability exists in the Microsoft Server Message Block (SMB) Server when an attacker with valid credentials attempts to open a specially crafted file over the SMB protocol on the same machine. Successful exploitation of the vulnerability could allow the attacker to bypass certain security checks in the operating system.
- CVE-2019-0790, CVE-2019-0791, CVE-2019-0792, CVE-2019-0793, CVE-2019-0795 - These vulnerabilities exist when the Microsoft XML Core Services MSXML parser processes user input. Successful exploitation of these vulnerabilities could allow the attacker to run malicious code remotely to take control of the system.
- CVE-2019-0845 - This vulnerability exists when the IOleCvt interface renders ASP webpage content. Successful exploitation of the vulnerability could allow the attacker to run malicious code remotely to take control of the system.
- CVE-2019-0853 - This vulnerability exists in the way that the Windows Graphics Device Interface handles objects in the memory. Successful exploitation of the vulnerability could allow the attacker to take control of the affected system. An attacker could then install programs, create new accounts with full user rights, or view, change, and delete data.
- ADV190011 - These Adobe vulnerabilities could allow an attacker to execute arbitrary code through a specially crafted website targeting users using Internet Explorer on desktop.
For the full list of security updates released by Microsoft, please visit https://portal.msrc.microsoft.com/en-us/security-guidance
The security release contains updates for the following software:
- Adobe Flash Player
- Internet Explorer
- Microsoft Edge
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft Exchange Server
- Team Foundation Server
- Azure DevOps Server
- Open Enclave SDK
- Windows Admin Center
Successful exploitation of these critical vulnerabilities could allow attackers to perform remote code execution and take control of the affected system to perform malicious activities, including unauthorised installation of programs, creating rogue administrator accounts and viewing, changing, or deleting data.
Users and system administrators of affected products are advised to apply the security updates immediately.