Exploits & Vulnerabilities
Patch Tuesday: Fixes for Two Exploited Vulnerabilities
Microsoft’s April security update includes fixes for 74 CVEs, including two vulnerabilities that are actively exploited in the wild. Of the vulnerabilities patched in this update, 13 are rated Critical and 61 are rated Important.
Microsoft’s April security update includes fixes for 74 CVEs, including two vulnerabilities that are actively exploited in the wild. Of the vulnerabilities patched in this update, 13 are rated Critical and 61 are rated Important. The patches this month cover a significant number of Microsoft products and services, namely: Internet Explorer, Edge, Windows, ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, .NET Framework and ASP.NET, Exchange Server, Visual Studio, Skype for Business, Azure DevOps Server, Open Enclave SDK, and Team Foundation Server. Two of the vulnerabilities were disclosed via the Zero Day Initiative (ZDI).
CVE-2019-0803 and CVE-2019-0859 are two Win32k Elevation of Privilege vulnerabilities actively being exploited, very similar to Win32k vulnerabilities addressed in March. If successfully exploited, these vulnerabilities could provide attackers with elevated privileges without authorization, allowing them to install programs, manipulate data, and create new accounts with full user rights.
Other notable vulnerabilities include:
- CVE-2019-0853, a GDI+ Remote Code Execution Vulnerability. A number of Microsoft programs, notably the OS and Office suite, use the GDI+ component. Discovered by ZDI’s Hossein Lotfi, this vulnerability occurs when parsing EMF file records. A specially crafted EMF file record can trigger access of an uninitialized pointer, which allows an attacker to execute arbitrary code.
- CVE-2019-0688, a Windows TCP/IP Information Disclosure Vulnerability. IP fragmentation has been a problem for years, and apparently remains an issue. This bug in the Windows TCP/IP stack could allow information disclosure from improperly handling fragmented IP packets. The vulnerability could expose data such as SAS token and resource IDs.
Meanwhile, Adobe has released eight patches for Acrobat and Reader, Adobe Digital Editions, Flash, Bridge CC, XD CC, Shockwave, InDesign, Dreamweaver, and Experience Manager Forms. The patch for Adobe InDesign fixes a Critically-rated Unsafe Hyperlink Processing vulnerability that could lead to arbitrary code execution. The patch for Adobe Acrobat and Reader addresses 21 CVEs, 11 of which are rated Critical. All of the Critical vulnerabilities could lead to arbitrary code execution. Adobe Shockwave also received an update for seven Critical CVEs, although it has already reached its end-of-life. Adobe will no longer provide support for Shockwave; the company has released an FAQ to guide remaining users.
The Trend Micro™ Deep Security™ and Vulnerability Protection solutions protect user systems from threats that may target the vulnerabilities addressed in this month’s Patch Tuesday via the following Deep Packet Inspection (DPI) rules:
- 1009647-Microsoft Windows GDI Elevation Of Privilege Vulnerability (CVE-2019-0803)
- 1009649-Microsoft Windows Multiple Security Vulnerabilities (Apr-2019)
- 1009650-Microsoft XML Remote Code Execution Vulnerability (CVE-2019-0793)
- 1009651-Microsoft XML Remote Code Execution Vulnerability (CVE-2019-0794)
- 1009652-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-0806)
- 1009653-Microsoft Graphics Components Remote Code Execution Vulnerability (CVE-2019-0822)
- 1009654-Microsoft Windows VBScript Engine Remote Code Execution Vulnerability (CVE-2019-0862)
- 1009655-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2019-0752)
- 1009656-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2019-0753)
- 1009657-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-0861)
- 1009658-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-0810)
- 1009659-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-0812)
- 1009660-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-0829)
- 1009661-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-0860)
- 1009662-Adobe Flash Player Out-of-Bounds Read Vulnerability (CVE-2019-7108)
- 1009663-Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB19-17) - 1
- 1009666-Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB19-17) - 2
Customers who have the Trend Micro™ TippingPoint® system are protected from threats that may exploit this month’s list of vulnerabilities via these MainlineDV filters:
- 34889: HTTP: Delta Industrial Automation CNCSoft Buffer Overflow Vulnerability (ZDI-18-1071)
- 34899: HTTP: Adobe Flash Player MovieClip Use-After-Free Vulnerability (Upload)
- 34901: ZDI-CAN-7273: Zero Day Initiative Vulnerability (Belkin SuperTask)
- 34902: ZDI-CAN-7274: Zero Day Initiative Vulnerability (Belkin SuperTask)
- 34903: ZDI-CAN-7275: Zero Day Initiative Vulnerability (Belkin SuperTask)
- 34906: ZDI-CAN-8341: Zero Day Initiative Vulnerability (Adobe Reader DC)
- 34912: HTTP: Adobe Flash Player attachMovie Use-After-Free Vulnerability (Upload)
- 34914: HTTP: Adobe Flash Player attachMovie Use-After-Free Vulnerability
- 34917: ZDI-CAN-7787: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
- 34918: ZDI-CAN-7858: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
- 34919: ZDI-CAN-7939: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
- 34920: ZDI-CAN-8228: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
- 34921: ZDI-CAN-8265: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
- 34922: ZDI-CAN-8272: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
- 34929: HTTP: Microsoft Scripting Engine RegExp Memory Corruption Vulnerability
- 34930: HTTP: Microsoft Internet Explorer XSL Use-After-Free Vulnerability
- 34931: HTTP: Microsoft Internet Explorer VBScript Integer Overflow Vulnerability
- 34933: HTTP: Microsoft Office Protocol Handler Directory Traversal Vulnerability
- 34936: HTTP: Microsoft Windows Chakra Scripting Engine Memory Corruption Vulnerability
- 34937: HTTP: Microsoft Windows Chakra Scripting Engine Memory Corruption Vulnerability
- 34938: HTTP: Microsoft Windows Chakra Scripting Engine Memory Corruption Vulnerability
- 34939: HTTP: Microsoft Windows Win32k Use-After-Free Vulnerability
- 34941: HTTP: Microsoft Chakra Memory Corruption Vulnerability
- 34944: HTTP: Microsoft Windows NT KASLR Information Disclosure Vulnerability
- 34945: HTTP: Microsoft Windows Win32K Use-After-Free Vulnerability
- 34946: HTTP: Microsoft Chakra Memory Corruption Vulnerability
- 34947: HTTP: Microsoft Chakra Memory Corruption Vulnerability
- 34948: HTTP: Microsoft Internet Explorer Use-After-Free Vulnerability
- 34949: HTTP: Microsoft Windows Win32k Use-After-Free Vulnerability
- 34951: HTTP: Microsoft Windows GDI Use-After-Free Vulnerability
- 34953: ZDI-CAN-8293: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
- 34954: ZDI-CAN-8055: Zero Day Initiative Vulnerability (Microsoft Windows)
- 34955: ZDI-CAN-8036: Zero Day Initiative Vulnerability (Microsoft Windows)
- 34956: ZDI-CAN-8056: Zero Day Initiative Vulnerability (Microsoft Windows)
- 34957: ZDI-CAN-8058: Zero Day Initiative Vulnerability (Microsoft Windows)