Microsoft Patch Tuesday April 19

It’s the time of the month again where Microsoft release the news on their vulnerable products and the patches available to fix them. This month there are a total of 74 vulnerabilities disclosed with 16 rated Critical, 54 Important, 1 Moderate and 3 Low.

These updates cover issues found in software products such as, MS Windows Operating Systems, Internet Explorer, MS Edge, Office, MS Exchange Server, the scripting engine, Team Foundation Server and more.

CVE-2019-0803 & CVE-2019-0859 cover two vulnerabilities rated Important, that exist in the Win32K component of the Windows operating system. By failing to handle memory objects properly, these vulns allow an attacker to run code in kernel mode and elevate their privileges, so they can view, change and delete data. New accounts could also be created with full user rights.

Note that both of these vulns are currently being actively exploited in the wild, so its very important to address these quickly.

Never too far away from a security issue, Server Message Block (SMB) appears this month with a critical privilege escalation and remote code execution vuln. CVE-2019-0786 can be exploited by an attacker using a specially crafted file over the SMB protocol, allowing them to bypass security checks in the operating system. This can lead to a complete system takeover by the remote attacker.

One of the biggest CVSS scores of the month (7.8) goes to the GDI+ remote code execution vuln covered by CVE-2019-0853. Again, this is another case of improper memory object handling but this time in the Windows Graphics Device Interface.

This can be exploited in two different ways; via a web-based attack which lures users into accessing a malicious website; or via a file-sharing attack where attackers convince the user to open a malicious document. When successfully exploited the target system can be completely controlled by a remote attacker.

Five of the 16 critical vulns in this release exist in MS XML Core Services parser process. CVE-2019-0790 to CVE-2019-0793 & CVE-2019-0795, all cover a remote code execution vuln that can result in the bad guys taking control of the target system.

These can be exploited through the use of a phishing email and a malicious website, where attackers can use the users web browsers to launch MS XML and run their malicious code remotely.

Known Issues

There are several known issues highlighted in this months Patch Tuesday, so please review the releases notes, to ensure these are understood.

One such issue appears in the Windows 2008 SP2 operating system, where the updates can get stuck on stage 2 or 3 of the restart process.

This is due to Microsoft releasing a new servicing stack update (SSU), which all users of Windows 2008 SP2 will need to install, to ensure they can continue to receive the latest security updates.

This SSU is required for the operating system to support future fixes and updates that are signed with the SHA-2 hashing algorithm.

Microsoft recommends that users install the servicing stack update before trying to install this month’s updates / rollup, to prevent the above mentioned stuck at stage x issue.

If you have started the update and you get the stuck message, don’t worry, simply press Ctrl + Alt + Delete and login. MS believe that this stuck issue should only happen once.

For more info on the SSU click here.

It is important to review this month’s updates and get patching as soon as you possibly can!

Keeping up to date with security patches for your operating systems and software, is a critical part of delivering and maintaining a strong security posture, please ensure you test and update as quickly as possible to reduce risk, prevent exploitation and to ultimately stay secure.

For a full list of this month’s updates please see the links below:

Patch Tuesday release notes

Security update guidance

Ironshare – Security Simplified