STE WILLIAMS

It’s raining patches, Hallelujah! Microsoft and Adobe put out their latest major fixes

A pair of actively-targeted Windows flaws highlight this month’s edition of Redmond’s Patch Tuesday, the monthly moment when admins sigh and determine what to fix..

For Microsoft, the monthly flaw folder fixes for a total of 74 CVE-listed security bugs in Windows and Office. Of those, 33 are flaws which, if exploited, would allow the attacker to achieve remote code execution.

As usual, most of the remote code execution flaws were spotted in the browser and scripting engines. Those include XML flaws (CVE-2019-0791, CVE-2019-0792, CVE-2019-0793) and half a dozen remote code flaws in the Chakra Scripting Engine. In each case, an attacker would target the vulnerability with a specially-crafted webpage.

Of the other flaws, experts are advising users and administrators to prioritize two fixes for bugs currently being targeted in the wild. CVE-2019-0803 and CVE-2019-0859 are a pair of elevation of provilege vulnerabilities in Win32k. Both require the attacker to already have access to the vulnerable PC, so you’re really just seeing a bad situation get worse if this exploit is used.

“These bugs allow an attacker to elevate privileges and take over a system after they have access to that system,” said Dustin Childs of the Trend Micro ZDI.

“There’s not much info on how these bugs are being used, but targeted malware seems the most likely source.”

Also catching the eye of ZDI researchers was CVE-2019-0856, a remote code execution flaw in Windows that, oddly, also requires the attacker to be logged in and already running code on the vulnerable PC.

“The title lists this as Remote Code Execution, but the description indicates an attacker would need to log on to a system to exploit the bug,” Childs noted.

A tree with the roots exposed appears as if it's walking.

A patchy Apache a-patchin: HTTP server gets fix for worrying root access hole

READ MORE

“Either way, considering it affects all supported Windows versions and that it was fixed by ‘correcting how Windows handles objects in memory,’ – this patch should definitely not be missed.”

Office also received fixes for a number of remote code execution flaws, including four in the Office Access Connectivity Engine, a component of Jet Database.

Microsoft argues that Office RCE’s are less of a risk than those in the browser, as they require the victim to actually open the attack file (rather than simply visit a webpage.) Still, given how haphazardly users will open Office documents, admins would be wise to prioritize those updates.

Adobe, meanwhile, has kicked out updates for Acrobat and Reader that address 21 remote code execution flaws in the PDF app.

Flash Player also got an update this month, though that patch only deals with two CVE-listed vulnerabilities that would allow remote code execution. Adobe said it has not received any word of active exploits targeting any of the bugs. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/04/09/patch_tuesday_april/

  • 09/04/2019
  • adm
Comments are closed.