updated An active-targeted couple Windows flaws highlight this month's edition of Redmond's Patch Tuesday, the monthly moment when admire sigh and determine what to fix ..
For Microsoft, the monthly flaw folder fixes for a total of 74 CVE-listed security bugs in Windows and Office. Of those, 33 are flaws which, if exploited, would allow the attacker to achieve remote code execution.
As usual, most of the remote code were spotted in the browser and scripting engines. Those includes XML flaws (CVE-2019-0791, CVE-2019-0792, CVE-2019-0793) and half a dozen remote code flaws in the Chakra Scripting Engine. In each case, an attacker would target the vulnerability with a specially-crafted webpage.
Of the other flaws, experts are advising users and administrators to prioritize two fixes for bugs currently being targeted in the wild. CVE-2019-0803 and CVE-2019-0859 are pair of elevation of privilege vulnerabilities in Win32k. I need to get the most out of it, I know you're just seeing a bad situation get worse if this exploit is used.
"These bugs allow an attacker to elevated privileges and take over a system after they have access to that system," said Dustin Childs of the Trend Micro ZDI.
"There is not much information on how these bugs are being used, but targeted malware seems the most likely source."
Researchers were CVE-2019-0856, a remote code execution flaw in Windows that, oddly, requires the attacker to be logged in and already running code on the vulnerable PC.
"The title lists this as a Remote Code Execution, but the description indicates an attacker would need to log into a system to exploit the bug," Childs noted.
A patchy Apache a-patchin: HTTP server gets fix for worrying root access hole
"Either way, considering it affects all Windows versions and that was fixed by 'correcting how Windows handles objects in memory,' – this patch should definitely not be missed."
Office also received fixes for a number of remote code flaws, including four in the Office Access Connectivity Engine, to component of Jet Database.
Microsoft argues that Office RCE is less than a visit to web pages. (, Rather than simply visit to webpage.) Still, given how haphazardly users will open Office documents, admins would be wise to prioritize those updates.
Adobe, meanwhile, has kicked out updates for Acrobat and Reader that address 21 remote code execution in the PDF app.
This month, although that patch only deals with two CVE-listed vulnerabilities that would allow remote code execution. Adobe said it has received no words of active exploits targeting any of the bugs. ®
Updated to add
Late to the patch party came SAP.
For SAP, the month brings 11 security updates including a high-priority fix for an XML external entity (XXE) vulnerability in HANA. Security house Onapsis, whose researchers took credit for discovering the flaw, said the flaw is actually present in a number of SAP products, with HANA being that last to get the fix after NetWeaver and ABAP.
"A special attention should be paid to this critical vulnerability to its likelihood to be used in a targeted attack, based on its ease of exploitation and the potential negative impact to business continuity," Onapsis says / sap-patch-notes-april-2019 of the bug.
"If not patched, the vulnerability would allow an attacker to remotely access critical files from the server and any web app custom code."