Microsoft's complete list of security patches can be found in its "Security Update Guide" for this month, now totaling 83 pages. As usual, Microsoft's security software partners tend to offer more digestible fare. Microsoft also released one security advisory this month on Adobe Flash.
Update 4/10: Security software provider Sophos is currently investigating a failure-to-boot issue that users described seeing after installing Microsoft's April security patches for Windows 7, Windows 8.1, Windows Server 2008 and Windows Server 2012 machines. Spiceworks forum participants described a similar issue, with some saying that removing KB4493472 fixed the issue.
This "update Tuesday" bundle of security fixes could seem a little crazier than usual because security updates also are arriving from Adobe, Opera, Oracle and Wireshark, according to Chris Goettl, director of product management for security at Ivanti. A recap of Microsoft's and other software vendors' patches will be held on April 10 as part of Ivanti's Patch Tuesday talk series (registration here).
Goettl noted in Ivanti's blog that IT pros should take care to remove Adobe Shockwave as it's no longer supported and is subject to exploits. Moreover, "Wireshark is one of those overlooked IT tools that can pose a significant risk to your environment," so he recommended applying updates.
In addition to applying Microsoft's security patches, Goettl noted that organizations are facing a bunch of expired or expiring software products this month, entailing even more update tasks to complete. Here's Goettl's useful list of expiring software:
- Windows 10 branch 1709 (for Pro licenses) -- April 9, 2019
- Windows 10 branch 1607 - April 9, 2019
- XP Embedded POSReady 2009 - April 9, 2019
- Java 8 (last update was January 2019) -- January 2019
- Adobe Shockwave - April 9, 2019
- Windows 7 - January 14, 2020
- Server 2008 - January 14, 2020
- Server 2008 R2 - January 14, 2020
Critical and Important Patches
Of the 74 vulnerabilities in Microsoft's April patch bunch, 13 are rated "Critical" by Microsoft, while 61 are rated "Important," according to Dustin Childs in Trend Micro's Zero Day Initiative analysis.
Patches are arriving for the following software items this month, according to Microsoft's release notes:
- Adobe Flash Player
- Internet Explorer
- Microsoft Edge
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft Exchange Server
- Team Foundation Server
- Azure DevOps Server
- Open Enclave SDK
- Windows Admin Center
Of the Critical vulnerabilities, a few were highlighted by Cisco's Talos security researchers. For instance, they pointed to CVE-2019-0753, an Internet Explorer memory-handing problem that could lead to a remote code execution attacks. Exploiting it would require tricking end users to visit a "specially crafted Web site" or getting them to click on an embedded ActiveX control in a Microsoft Office document.
Other Critical vulnerabilities noted by Talos included CVE-2019-0790, CVE-2019-0791, CVE-2019-0792, CVE-2019-0793 and CVE-2019-0795, which are all Microsoft XML issues that could lead to remote code execution attacks.
Just two of the vulnerabilities (CVE-2019-0803 and CVE-2019-0859) are considered to be under active attack, according to the Zero Day Initiative. Even though these two Windows 32K elevation-of-privilege flaws are just rated "Important," Childs advised quickly patching them.
Childs called out three other vulnerabilities to note this month, as well. CVE-2019-0853 is a Critical Windows GDI+ remote code execution vulnerability that was discovered by the Zero Day Initiative. CVE-2019-0688 is an Important Windows TCP/IP protocol flaw that could lead to information disclosure. CVE-2019-0856 is an Important Windows remote code execution vulnerability, but it's noteworthy to patch because it fixes a general Windows memory-handling issue, according to Childs.