April 2019 Patch Tuesday: Microsoft fixes two actively exploited bugs

Microsoft has plugged 74 CVE-numbered security holes on this April 2019 Patch Tuesday, including two vulnerabilities actively exploited by attackers. All of the bugs are rated either Critical or Important.

Adobe has also released security updates for many of its products, including the widely used Flash Player and Shockwave Player (the freeware software plug-in for viewing multimedia and video games in web pages).

The Adobe updates

Adobe has provided security updates for many software packages.

The Flash update contains fixes for a bug that could lead to information disclosure bug and a critical use-after-free vulnerability that could lead to arbitrary code execution in the context of the current user (CVE-2019-7096).

Critical flaws have also been killed off in the Bridge CC, InDesign, Adobe XD, Acrobat and Reader, and Shockwave Player.

None of the plugged holes are under active exploitation. Nevertheless, Qualys Senior Director of Product Management Jimmy Graham advises administrators to prioritize Adobe Flash and Acrobat/Reader patches for workstation-type systems.

The Microsoft updates

Microsoft has delivered a security update for Adobe Flash that mirrors that of Adobe.

Other updates are for a wide variety of software. Among the most notable vulnerabilities fixed are:

CVE-2019-0803 and CVE-2019-0859: Two Win32k vulnerabilities that could be exploited to elevate privileges on a targeted system and take it over.

Flagged by Kaspersky Labs and the Alibaba Cloud Intelligence Security Team, both of these are actively exploited in the wild and were zero-days when the attacks were detected by the researchers.

“There’s not much info on how these bugs are being used, but targeted malware seems the most likely source. Regardless, get these rolled out to your systems quickly,” says Dustin Childs, Director of Communications for Trend Micro’s Zero Day Initiative.

CVE-2019-0841: A privilege escalation vulnerability in the Windows AppX Deployment Service (AppXSVC), which is responsible for the deployment of Windows Store apps.

“The vulnerability involves the service’s handling of hard links. A PoC has been made available in the public domain. Patching should be prioritized for both Workstations and Servers, as this service exists on both Windows 10 and Server 2019,” Graham advises.

CVE-2019-0853: A remote code execution flaw in the Windows Graphics Device Interface (GDI).

“There are multiple ways an attacker could exploit the vulnerability,” Microsoft explained.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. In a file-sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file.”

CVE-2019-0845: A remote code execution flaw in the IOleCvt interface (The Automation interface for the IOleCvt object enables an ASP Web page to perform a variety of string conversions from one format to another).

“In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft browsers and then convince a user to view the website. An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the browser rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability,” the company noted.

CVE-2019-0856: A remote code execution flaw that arose due to Windows’ improper handling of objects in memory. It was flagged by the Australian Cyber Security Centre (Australian Signals Directorate).

“To exploit the vulnerability, an authenticated attacker could connect via the Windows Remote Registry Service, causing Windows to execute arbitrary code,” Microsoft shared.

“This patch write-up is definitely an oddity. The title lists this as Remote Code Execution, but the description indicates an attacker would need to log on to a system to exploit the bug. Either way, considering it affects all supported Windows versions and that it was fixed by ‘correcting how Windows handles objects in memory,’ – this patch should definitely not be missed,” Childs opined.