This month’s Patch Tuesday addresses 74 vulnerabilities, with 16 labeled as Critical. Eight of the Critical vulns are for scripting engines and browser components, impacting Microsoft browsers and Office, along with another 5 Critical vulns in MSXML. Two Critical remote code execution (RCE) vulnerabilities are patched in GDI+ and IOleCvt. Two privilege escalation vulns in Win32k are reported as Actively Attacked, while another in the Windows AppX Deployment Service has a public PoC exploit.
Workstation Patches
Scripting Engine and MSXML patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Actively Attacked Privilege Escalation in Win32k
Two vulnerabilities (CVE-2019-0803 & CVE-2019-0859) exist in Win32k that could lead to privilege escalation if exploited. Microsoft reports both of these vulnerabilities as Actively Attacked. Patching should be prioritized for both Workstations and Servers.
Privilege Escalation in SMB Server
A privilege escalation vulnerability was patched in the SMB Server. Exploiting this vulnerability requires the attacker to be logged into the target system and access to a malicious file via SMB.
Adobe Patches
Adobe released a large number of patches today including Flash Player, Acrobat and Reader, Shockwave Player, Dreamweaver, Adobe XD, InDesign, Experience Manager Forms, and Bridge CC. The Flash Player patch covers 1 Critical RCE and 1 Important vuln. Microsoft also ranks the Flash patches as Critical. The Acrobat/Reader patches cover 21 different vulnerabilities, 11 of which are Critical RCE. Adobe Flash and Acrobat/Reader patches should be prioritized for workstation-type systems.
Executive Summary
- Windows 10 version 1607 reached end of support for Enterprise and Education customers today.
- Windows 10 version 1709 reached end of support for Home, Pro and Pro for Workstations today.
- Microsoft released security updates for all client and server versions of Windows.
- Other Microsoft software with security updates: Microsoft Edge, Internet Explorer, Microsoft Exchange Server, Team Foundation Server, Azure DevOps Server, Windows Admin Center, Microsoft Office
- Microsoft fixed many long standing known issues.
- The Update Catalog lists 133 updates.
Operating System Distribution
- Windows 7: 29 vulnerabilities of which 6 are rated critical and 23 are rated important (links see W10 1809)
- CVE-2019-0791 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0792 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0793 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0795 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0845 | Windows IOleCvt Interface Remote Code Execution Vulnerability
- CVE-2019-0853 | GDI+ Remote Code Execution Vulnerability
- Windows 8.1: 31 vulnerabilities of which 7 are rated critical and 24 are rated important (links see W10 1809)
- CVE-2019-0790 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0791 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0792 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0793 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0795 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0845 | Windows IOleCvt Interface Remote Code Execution Vulnerability
- CVE-2019-0853 | GDI+ Remote Code Execution Vulnerability
- Windows 10 version 1607: 33 vulnerabilities of which 7 are critical and 26 are important
- critical issues same as W10 1809 except for CVE-2019-0786 which is not listed.
- Windows 10 version 1703: 35 vulnerabilities of which 7 are critical and 28 are important
- critical issues same as W10 1809 except for CVE-2019-0786 which is not listed.
- Windows 10 version 1709: 37 vulnerabilities of which 8 are critical and 29 are important
- critical issues same as W10 1809
- Windows 10 version 1803: 37 vulnerabilities of which 8 are critical and 29 are important
- critical issues same as W10 1809
- Windows 10 version 1809: 36 vulnerabilities of which 8 are critical and 28 are important
- CVE-2019-0853 | GDI+ Remote Code Execution Vulnerability
- CVE-2019-0845 | Windows IOleCvt Interface Remote Code Execution Vulnerability
- CVE-2019-0795 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0793 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0792 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0791 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0790 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0786 | SMB Server Elevation of Privilege Vulnerability
Windows Server products
- Windows Server 2008 R2: 29 vulnerabilities of which 6 are critical and 23 are important.
- same as Windows 7
- Windows Server 2012 R2: 31 vulnerabilities of which 7 are critical and 24 are important.
- critical issues same as W10 1809 except CVE-2019-0786 which is not listed.
- Windows Server 2016: 33 vulnerabilities of which 7 are critical and 26 are important
- critical issues same as W10 1809 except CVE-2019-0786 which is not listed.
- Windows Server 2019: 36 vulnerabilities of which 8 are critical and 28 are important.
- Critical issues same as W10 1809
Other Microsoft Products
- Internet Explorer 11: 5 vulnerability, 1 critical, 4 important
- Microsoft Edge: 9 vulnerabilities, 7 critical, 2 important
Known Issues
Windows 7 Service Pack 1
- After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. Workarounds available.
Windows 8.1
- Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires. Workarounds available.
Windows 10 version 1607
- For hosts managed by System Center Virtual Machine Manager (SCVMM), SCVMM cannot enumerate and manage logical switches deployed on the host after installing the update.
- After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters.
- And the Windows 7 SP1 issue.
Windows 10 version 1607 and newer
- After installing the Internet Explorer cumulative update, custom URI schemes for application protocol handlers may not work properly in Internet Explorer. Workaround available.
Windows 10 version 1803
- Same as Windows 7 SP1
Windows 10 version 1809, Windows Server 2016
- Same as Windows 7 SP1
Direct update downloads
Microsoft makes available all cumulative updates that it releases for Windows as direct downloads on the Microsoft Update Catalog website. Follow the links listed below to go there for the listed version of Windows.
Windows 7 SP1 and Windows Server 2008 R2 SP
- KB4493472 — 2019-04 Security Monthly Quality Rollup for Windows 7
- KB4493448 — 2019-04 Security Only Quality Update for Windows 7
Windows 8.1 and Windows Server 2012 R2
- KB4493446 — 2019-04 Security Monthly Quality Rollup for Windows 8.1
- KB4493467 — 2019-04 Security Only Quality Update for Windows 8.1
Windows 10 and Windows Server 2016 (version 1607)
- KB4493470 — 2019-04 Cumulative Update for Windows 10 Version 1607
Windows 10 (version 1703)
- KB4493474 — 2019-04 Cumulative Update for Windows 10 Version 1703
Windows 10 (version 1709)
- KB4493441 — 2019-04 Cumulative Update for Windows 10 Version 1709
Windows 10 (version 1803)
- KB4493464 — 2019-04 Cumulative Update for Windows 10 Version 1803
Windows 10 (version 1809)
- KB4493509 — 2019-04 Cumulative Update for Windows 10 Version 1809