Microsoft's April Security Patch Bundle Released -- Redmondmag.com

Microsoft's April Security Patch Bundle Released

By Kurt Mackie
04/09/2019

Microsoft announced the release of its April security patches on Tuesday, addressing 74 unique vulnerabilities.

Microsoft's complete list of security patches can be found in its "Security Update Guide" for this month, now totaling 83 pages. As usual, Microsoft's security software partners tend to offer more digestible fare. Microsoft also released one security advisory this month on Adobe Flash.

Update 4/10: Security software provider Sophos is currently investigating a failure-to-boot issue that users described seeing after installing Microsoft's April security patches for Windows 7, Windows 8.1, Windows Server 2008 and Windows Server 2012 machines. Spiceworks forum participants described a similar issue, with some saying that removing KB4493472 fixed the issue.

This "update Tuesday" bundle of security fixes could seem a little crazier than usual because security updates also are arriving from Adobe, Opera, Oracle and Wireshark, according to Chris Goettl, director of product management for security at Ivanti. A recap of Microsoft's and other software vendors' patches will be held on April 10 as part of Ivanti's Patch Tuesday talk series (registration here).

Expiring Products
Goettl noted in Ivanti's blog that IT pros should take care to remove Adobe Shockwave as it's no longer supported and is subject to exploits. Moreover, "Wireshark is one of those overlooked IT tools that can pose a significant risk to your environment," so he recommended applying updates.

In addition to applying Microsoft's security patches, Goettl noted that organizations are facing a bunch of expired or expiring software products this month, entailing even more update tasks to complete. Here's Goettl's useful list of expiring software:

Windows 10 branch 1709 (for Pro licenses) -- April 9, 2019
Windows 10 branch 1607 - April 9, 2019
XP Embedded POSReady 2009 - April 9, 2019
Java 8 (last update was January 2019) -- January 2019
Adobe Shockwave - April 9, 2019
Windows 7 - January 14, 2020
Server 2008 - January 14, 2020
Server 2008 R2 - January 14, 2020

Critical and Important Patches
Of the 74 vulnerabilities in Microsoft's April patch bunch, 13 are rated "Critical" by Microsoft, while 61 are rated "Important," according to Dustin Childs in Trend Micro's Zero Day Initiative analysis.

Patches are arriving for the following software items this month, according to Microsoft's release notes:

Adobe Flash Player
Internet Explorer
Microsoft Edge
Microsoft Windows
Microsoft Office and Microsoft Office Services and Web Apps
ChakraCore
ASP.NET
Microsoft Exchange Server
Team Foundation Server
Azure DevOps Server
Open Enclave SDK
Windows Admin Center

Of the Critical vulnerabilities, a few were highlighted by Cisco's Talos security researchers. For instance, they pointed to CVE-2019-0753, an Internet Explorer memory-handing problem that could lead to a remote code execution attacks. Exploiting it would require tricking end users to visit a "specially crafted Web site" or getting them to click on an embedded ActiveX control in a Microsoft Office document.

Other Critical vulnerabilities noted by Talos included CVE-2019-0790, CVE-2019-0791, CVE-2019-0792, CVE-2019-0793 and CVE-2019-0795, which are all Microsoft XML issues that could lead to remote code execution attacks.

Just two of the vulnerabilities (CVE-2019-0803 and CVE-2019-0859) are considered to be under active attack, according to the Zero Day Initiative. Even though these two Windows 32K elevation-of-privilege flaws are just rated "Important," Childs advised quickly patching them.

Childs called out three other vulnerabilities to note this month, as well. CVE-2019-0853 is a Critical Windows GDI+ remote code execution vulnerability that was discovered by the Zero Day Initiative. CVE-2019-0688 is an Important Windows TCP/IP protocol flaw that could lead to information disclosure. CVE-2019-0856 is an Important Windows remote code execution vulnerability, but it's noteworthy to patch because it fixes a general Windows memory-handling issue, according to Childs.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.