Microsoft April 2019 Security Updates, patches two 0-days

Microsoft April 2019 Security Updates

Microsoft issued the April 2019 Security Updates that include 75 unique vulnerability fixes, 16 of them rated critical and two zero-days that were being actively exploited.

The updates address multiple Microsoft products to include: Windows, Edge, Office, Office Services and Web Apps, ChakraCore, ASP.NET, Exchange Server, Team Foundation Server, Azure DevOps Server, Open Enclave SDK, and Windows Admin Server.

All of the 16 critical updates address remote code execution (RCE) bugs.

Win32K zero-day vulnerabilities

The two zero-day elevation of privilege vulnerabilities CVE-2019-0803 and CVE-2019-0859 impact Win32K, a core component of Windows operating system.

Microsoft describes each of the two Win2K vulnerabilities the same way:

“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Microsoft further confirmed that each of the bugs have active exploits detected in the wild.

The 16 critical Microsoft RCE vulnerabilities include (along with product family impacted):

VulnerabilityProduct Family Impacted
CVE-2019-0739Browser
Development Tools
CVE-2019-0753Browser
CVE-2019-0786Windows
CVE-2019-0790Windows
CVE-2019-0791Windows
CVE-2019-0792Windows
CVE-2019-0793Windows
CVE-2019-0795Browser
Development Tools
CVE-2019-0806Browser
Development Tools
CVE-2019-0810Browser
Development Tools
CVE-2019-0812Browser
Development Tools
CVE-2019-0829Browser
Development Tools
CVE-2019-0845Windows
CVE-2019-0853Windows
CVE-2019-0860Browser
Development Tools
CVE-2019-0861Browser
Development Tools

Another critical security patch advisory addresses two Adobe Flash vulnerabilities (CVE-2019-7096 and CVE-2019-7108) that were released by Adobe as part of APSB19-19.

A dozen of the patches rated Important address Elevation of Privilege vulnerabilities in multiple products.

A Proof-of-Concept (PoC) was also made available on public GitHub for one of the elevation of privilege bugs CVE-2019-0841.

See the Security Update Guide and April summary release notes for more details on all patches.