Microsoft issued the April 2019 Security Updates that include 75 unique vulnerability fixes, 16 of them rated critical and two zero-days that were being actively exploited.
The updates address multiple Microsoft products to include: Windows, Edge, Office, Office Services and Web Apps, ChakraCore, ASP.NET, Exchange Server, Team Foundation Server, Azure DevOps Server, Open Enclave SDK, and Windows Admin Server.
All of the 16 critical updates address remote code execution (RCE) bugs.
Win32K zero-day vulnerabilities
The two zero-day elevation of privilege vulnerabilities CVE-2019-0803 and CVE-2019-0859 impact Win32K, a core component of Windows operating system.
Microsoft describes each of the two Win2K vulnerabilities the same way:
“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Microsoft further confirmed that each of the bugs have active exploits detected in the wild.
The 16 critical Microsoft RCE vulnerabilities include (along with product family impacted):
| Vulnerability | Product Family Impacted |
| CVE-2019-0739 | Browser Development Tools |
| CVE-2019-0753 | Browser |
| CVE-2019-0786 | Windows |
| CVE-2019-0790 | Windows |
| CVE-2019-0791 | Windows |
| CVE-2019-0792 | Windows |
| CVE-2019-0793 | Windows |
| CVE-2019-0795 | Browser Development Tools |
| CVE-2019-0806 | Browser Development Tools |
| CVE-2019-0810 | Browser Development Tools |
| CVE-2019-0812 | Browser Development Tools |
| CVE-2019-0829 | Browser Development Tools |
| CVE-2019-0845 | Windows |
| CVE-2019-0853 | Windows |
| CVE-2019-0860 | Browser Development Tools |
| CVE-2019-0861 | Browser Development Tools |
Another critical security patch advisory addresses two Adobe Flash vulnerabilities (CVE-2019-7096 and CVE-2019-7108) that were released by Adobe as part of APSB19-19.
A dozen of the patches rated Important address Elevation of Privilege vulnerabilities in multiple products.
A Proof-of-Concept (PoC) was also made available on public GitHub for one of the elevation of privilege bugs CVE-2019-0841.
See the Security Update Guide and April summary release notes for more details on all patches.