MICROSOFT HAS FIXED a total of 74 vulnerabilities in this month's Patch Tuesday, with 15 of the fixed flaws being labelled ‘critical'.
The patches being applied via Microsoft's Update service include fixes for critical flaws, inevitably, in Adobe Flash (CVE-2019-7108 and CVE-2019-7096), while the rest affect various elements of Windows and Windows Server.
April's Patch Tuesday also includes patches for two zero-day security flaws in Windows - security flaws that are being exploited in the wild right now.
CVE-2019-0803 was uncovered by Donghai Zhu of Alibaba Cloud, while CVE-2019-0859 is attributed to Kaspersky's Vasily Berdnikov and Boris Larin. Both are elevation of privilege vulnerabilities that occur when the Win32k component fails to properly handle objects in memory.
"An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode... then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft has warned.
There are currently no further details about exploits or how these two critical security flaws have been used. However, ZDNet's Catalin Cimpanu has conjectured that, like five previous security flaws reported to Microsoft by Kaspersky over the past six months, these security flaws are being exploited by nation-state attackers.
The Adobe Flash security flaws can lead to information disclosure and arbitrary code execution and affects the Flash Player across macOS, Linux and ChromeOS, as well as Windows. There are a number of other sundry Adobe security flaws that have also been reported, including seven for Shockwave. However, as Shockwave has been discontinued, there are no patches to cover these flaws.
Chris Goettl, director of product management, security at IT service management firm Ivanti, described April's slew of patches - some of which will land next week - as "crazy".
"We got updates from Microsoft, Adobe, Wireshark, Oracle (dropping on April 16), and Opera. We also have a boat-load of end-of-life notices, which raise a number of security concerns that are very timely to discuss, given the recent Arizona Tea ransomware attack that brought the company to a grinding halt.
"Microsoft has released 15 updates resolving 74 unique CVEs this month. These updates affect the Windows OS, Internet Explorer and Edge browsers, Office, SharePoint and Exchange. Two of the vulnerabilities (CVE-2019-0803 and CVE-2019-0859) resolved in the Windows OS are being used in exploits in the wild. These are Win32k elevation-of-privilege vulnerabilities that could allow a locally authenticated attacker to run arbitrary code in kernel mode.
"Adobe has released seven total updates resolving 43 unique CVEs. Adobe Reader, Acrobat, AIR, Flash, and Shockwave are the most concerning here. You can get updates for Reader, Acrobat, AIR, and Flash, but Shockwave has reached its end-of-life so no update is available for its seven critical vulnerabilities."
In addition to removing Shockwave from any PC environment as a matter of urgency, Goettl urged IT departments to update Wireshark as a priority, too. "Wireshark is one of those overlooked IT tools that can pose a significant risk to your environment. Ensure it gets updated or removed where it is no longer needed," advised Goettl.
"Obsolete software is a considerable risk to your environment and needs to be addressed even if removal is not the immediate answer. Have a plan in place to mitigate the risk if elimination is not possible." µ
'Some of us like the misery'
That'll surely affect its credit score