Patch Tuesday April 2019
This month Windows is patched for two zero-day flaws, Windows 7 and Windows Server 2008 R2 users report that devices with Sophos Antivirus can’t log in after installing KB4493472 and authentication failures to services configured with unconstrained delegation.
Windows 10, Windows Server 2016, and Windows Server 2019
This month there are 36 fixes for flaws in Windows 10 version 1809. CVE-2019-0803 and CVE-2019-0859 are zero-days reported by Alibaba Cloud Intelligence Security Team and Kaspersky Lab respectively. Both are an elevation of privilege (EOP) flaws where the Win32k component improperly handles objects in memory, potentially allowing an attacker to run arbitrary code in kernel mode. An attacker would need to log in to Windows to be able to exploit this flaw. There are no further details about the vulnerabilities other than that they have both been actively exploited.
8 remote code execution (RCE) bugs rated critical have been patched. One in the Windows IOleCvt interface could let an attacker run malicious code from an ASP webpage, or Microsoft Office document with embedded ActiveX Control, and take control of a system. A flaw in the Windows Graphics Device Interface (GDI) could also let an attacker take control of a system. Similar vulnerabilities affect Hyper-V vSMB and Microsoft XML Core Services.
Windows 7 and Windows Server 2008 R2
Windows 7 gets patches for 6 critical bugs affecting the IOleCvt interface, the Windows Graphics Device Interface (GDI), and Microsoft XML Core Services. It also gets patches for the CVE-2019-0803 and CVE-2019-0859 zero-days which affect Windows 10.
After installing this month’s monthly rollup for Windows 7 SP1 (KB4493472), some users are reporting that after rebooting, they are unable to log in to their systems. At present, this seems to affect users that have Sophos Endpoint Antivirus software installed. Microsoft has announced that it is now blocking KB4493472 for devices running Sophos Endpoint until a solution has been found.
Another issue being reported is that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires. You might see this manifest itself in the SQL Server service failing. Microsoft has published a few workarounds which involve changing to constrained delegation, restarting the affected application, or purging Kerberos tickets on the application server. For more information on both issues affecting KB4493472, see Microsoft’s website here.
7 vulnerabilities are patched in Office 365 ProPlus, all rated important. 6 are RCEs and the remaining bug EOP. CVE-2019-0822 is a Microsoft Graphics Components flaw that could allow an attacker to run arbitrary code by tricking users into opening a specially crafted file. Both SharePoint and Exchange get patches for 2 spoofing vulnerabilities.
This month Adobe released patches for Flash Player, Adobe Reader, and Acrobat. Flash updates are automatically downloaded by Windows Update for Internet Explorer and Edge. Google Chrome users will also receive the updates automatically.
Adobe also announced end-of-life for Shockwave Player. Remember that? What this announcement means is that there will be no more security updates for Shockwave. If you have Shockwave installed on your systems, you should look at removing it as quickly as possible.