April 9, 2019

Microsoft today released fifteen software updates to fix more than 70 unique security vulnerabilities in various flavors of its Windows operating systems and supported software, including at least two zero-day bugs. These patches apply to Windows, Internet Explorer (IE) and Edge browsers, Office, Sharepoint and Exchange. Separately, Adobe has issued security updates for Acrobat/Reader and Flash Player.

According to security firm Rapid 7, two of the vulnerabilities — CVE-2019-0803 and CVE-2019-0859 — are already being exploited in the wild. They can result in unauthorized elevation of privilege, and affect all supported versions of Windows.

“An attacker must already have local access to an affected system to use these to gain kernel-level code execution capabilities,” Rapid7 researcher Greg Wiseman observed. “However, one of the 32 Remote Code Execution (RCE) vulnerabilities patched today could potentially be used with them in an exploit chain to obtain full control of a system.”

Aside from these zero-day privilege escalation flaws, Wiseman said, it’s a fairly standard Patch Tuesday.

“Which of course still means that there are bugs that should be patched as soon as possible, such as the eight vulnerabilities classified as critical in the scripting engine used by Microsoft browsers, and CVE-2019-0822 (an RCE in Microsoft Office that can be exploited by convincing a user to open a malicious file).”

Adobe’s Patch Tuesday includes security updates for its Flash Player and AIR software,  as well as Adobe Reader and Acrobat.

Flash updates are installed along with other monthly Windows patch rollups for consumers, and auto-installed by Google Chrome, but users may need to reboot the operating system (in the case of IE/Edge) or the browser (in Chrome) for the new updates to take effect.

Adobe’s actions also sound the death knell for Adobe Shockwave Player, which has at long last reached end-of-life.

That means no more security updates for Shockwave, which has always been something of an ugly stepchild to Flash. That is to say, Shockwave never really got the security attention Flash has received but nevertheless has been just as vulnerable and often lagging months or years behind Flash in terms of updates.

Chris Goettl, director of product management and security for security firm Ivanti, said Windows users need to get any existing Shockwave installations out of their environments now.

“There are 7 vulnerabilities that are going to be vulnerable for the majority of Shockwave installs still in existence,” Goettl said. “You can bet an exploit is imminent there.”

Standard advice: Staying up-to-date on Windows patches is good. Updating only after you’ve backed up your important data and files is even better. A good backup means you’re not pulling your hair out if the odd buggy patch causes problems booting the system.

Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

As always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.

Further reading:

Qualys on Patch Tuesday

SANS Internet Storm Center’s Patch Tuesday Priorities.

Martin Brinkmann of Ghacks.net


51 thoughts on “Patch Tuesday Lowdown, April 2019 Edition

  1. Christian

    After the updates, my pc crashes and frezzes.
    System recovery helped first, but then the updates were installed again. After i tried the second time system recovery, it did not work anymore, because the new system recovery backup was made after some of the updates.
    Only a complete reinstallation and pause of windows update helped. I can only pause windows update 35 days. What happens after when the bad updates wants to be installed?

    1. Fred

      Same happened to me on two computers. Only thing that worked to get them up and running was restore, but like you said it will try to update again.

      Not sure what is happening, but I too looking for help or suggestions

  2. Readership1

    I think this is one of the most commented Patch Tuesday articles in the past few years. It’s like finding a dead canary in a mine.

  3. ROBERT BURKE

    After the update in windows 7 the computer would update then reboot and then repeat. After this endless loop it eventually crashed the system. THANKS MICROSOFT!

  4. Muffin

    I had 4 updates. No problem. I have Windows 7, 64 bit home pc.
    I take Brian’s advice and do the updates manually after first doing a back-up.
    I am not a tech person, but have learned so much from Brian and the people who comment.

  5. Men

    If I were you don’t do updates. Turn it off and back up regular.

  6. Catwhisperer

    There is always a need to tell if Windows 10 or Windows Server xx needs to be rebooted. I found this great Powershell Script that allows one to determine if your system needs rebooting. The script gives True if you need to reboot or False if the system isn’t in need of a reboot. Held off on updating corporate Windows 10 machines for 35 days…

    https://gist.github.com/altrive/5329377
    based on:
    https://gallery.technet.microsoft.com/scriptcenter/Get-PendingReboot-Query-bdb79542

Comments are closed.