April, 2019: Patch Tuesday: Two Zero-Days

Welcome to this April Patch Tuesday Bulletin.  This month there are 74 unique CVE’s, 5 products with critical rated vulnerabilities and 2 vulnerabilities exploited in the wild.  Pay close attention to CVE-2019-0803 and CVE-2019-0859 since they are both Windows privilege escalation vulnerabilities being exploited in the wild.  In order to exploit these vulnerabilities an attacker would need to login to the system and then run an application that could exploit the vulnerability thus giving the attacker control of the system.  These are both zero-day vulnerabilities so we recommend that you patch these as soon as possible. Regarding the Adobe vulnerability ADV190011, you can find more detailed from Adobe here.

Hey folks, if you’ve been enjoying my Active Directory security trainings, I’d love to meet you in-person at The Experts Conference, August 27-28 in Charleston, SC, where I'll be delivering a keynote session and a hybrid AD breakout session as well as taking your questions 1:1 in the Experts Bar. Here's a link to the whole conference to see all the sessions from me and other AD and Office 365 security experts. NOTE: they have a $300 early-early bird savings if you register by April 30, 2019.

So, without further ado, here’s the chart of MS patches that affect Windows platforms in the past month.

Patch data provided by:

 LOGbinder.com

Technology

Products Affected

Severity

Reference

Workaround/ Exploited / Publicly Disclosed

Vulnerability Info

Internet Explorer

IE 9,10,11

Critical

CVE-2019-0752
CVE-2019-0753
CVE-2019-0764
CVE-2019-0835
CVE-2019-0862

Workaround: No
Exploited: No
Public: No

Remote Code Execution
Information Disclosure
Tampering

Edge

Edge

Critical

CVE-2019-0739
CVE-2019-0764
CVE-2019-0806
CVE-2019-0810
CVE-2019-0812
CVE-2019-0829
CVE-2019-0833
CVE-2019-0860
CVE-2019-0861

Workaround: No
Exploited: No
Public: No

Remote Code Execution
Information Disclosure
Tampering

Windows

Windows 7, 8.1, 8.1 RT, 10

Windows Admin Center

Server 2008/2008 R2

Sever 2012, 2012 R2

Server 2016

Server 2019

Critical

 

CVE-2019-0685
CVE-2019-0688
CVE-2019-0730
CVE-2019-0731
CVE-2019-0732
CVE-2019-0735
CVE-2019-0786
CVE-2019-0790
CVE-2019-0791
CVE-2019-0792
CVE-2019-0793
CVE-2019-0794
CVE-2019-0795
CVE-2019-0796
CVE-2019-0802
CVE-2019-0803
CVE-2019-0805
CVE-2019-0813
CVE-2019-0814
CVE-2019-0836
CVE-2019-0837
CVE-2019-0838
CVE-2019-0839
CVE-2019-0840
CVE-2019-0841
CVE-2019-0842
CVE-2019-0844
CVE-2019-0845
CVE-2019-0846
CVE-2019-0847
CVE-2019-0848
CVE-2019-0849
CVE-2019-0851
CVE-2019-0853
CVE-2019-0856
CVE-2019-0859
C
VE-2019-0877
CVE-2019-0879

Workaround: No

Exploited: Yes

Public: No

Information Disclosure

Elevation of Privilege

Remote Code Execution

Security Feature Bypass

Office

Excel 2010, 2013, 2016

Office 2010, 2013, 2016, 2019

2016, 2019 for Mac

Office 365 ProPlus

Important

 

CVE-2019-0801
CVE-2019-0822
CVE-2019-0823
CVE-2019-0824
CVE-2019-0825
CVE-2019-0826
CVE-2019-0827
CVE-2019-0828

Workaround: No

Exploited: No

Public:  No

Elevation of Privilege

Remote Code Execution

Exchange

Server 2010 SP3

2013 CU22

2016 CU11, CU12

2019, 2019 CU1

Important

 

CVE-2019-0817
CVE-2019-0858

Workaround: No

Exploited: No

Public:  No

Spoofing

SharePoint

Enterprise Server 2013 SP1, 2016

Foundation 2010 SP2, 2013 SP1

Server 2010 SP2, 2019

Important

 

CVE-2019-0830
CVE-2019-0831

Workaround: No

Exploited: No

Public:  No

Spoofing

ChakraCore

All

Critical

 

CVE-2019-0739
CVE-2019-0806
CVE-2019-0810
CVE-2019-0812
CVE-2019-0829
CVE-2019-0860
CVE-2019-0861

Workaround: No
Exploited: No
Public: No

Remote Code Execution

Team Foundation Server

2015 Update 4.2

2017 Update 3.1

2018 Update 1.2, 3.2

Important

 

CVE-2019-0866
CVE-2019-0867
CVE-2019-0868
CVE-2019-0870
CVE-2019-0871

Workaround: No
Exploited: No
Public: No

Spoofing

Adobe Flash Player

All

Critical

 

ADV190011

Workaround: Yes
Exploited: No
Public: No

Remote Code Execution

ASP.NET

Core 2.2

Important

 

CVE-2019-0815

Workaround: No
Exploited: No
Public: No

Denial of Service

Azure

DevOps Server 2019, Linux Guest Agent

Important

 

CVE-2019-0804
CVE-2019-0857
CVE-2019-0866
CVE-2019-0867
CVE-2019-0868
CVE-2019-0869
CVE-2019-0870
CVE-2019-0871
CVE-2019-0874
CVE-2019-0875

Workaround: No
Exploited: No
Public: No

Spoofing

Elevation of Privilege

Information Disclosure

Open Enclave SDK

All

Important

 

CVE-2019-0876

Workaround: No
Exploited: No
Public: No

Information Disclosure


Send me this chart next Patch Tuesday.
Email:

We will not share your address. Unsubscribe anytime. By clicking "Submit",
you're agreeing to our Privacy Policy and consenting to be contacted by us.