Home tech It's raining patches, Hallelujah! Microsoft and Adobe put out their latest major...

It's raining patches, Hallelujah! Microsoft and Adobe put out their latest major fixes • The Register

updated An active-targeted couple Windows flaws highlight this month's edition of Redmond's Patch Tuesday, the monthly moment when admire sigh and determine what to fix ..

For Microsoft, the monthly flaw folder fixes for a total of 74 CVE-listed security bugs in Windows and Office. Of those, 33 are flaws which, if exploited, would allow the attacker to achieve remote code execution.

As usual, most of the remote code were spotted in the browser and scripting engines. Those includes XML flaws (CVE-2019-0791, CVE-2019-0792, CVE-2019-0793) and half a dozen remote code flaws in the Chakra Scripting Engine. In each case, an attacker would target the vulnerability with a specially-crafted webpage.

Of the other flaws, experts are advising users and administrators to prioritize two fixes for bugs currently being targeted in the wild. CVE-2019-0803 and CVE-2019-0859 are pair of elevation of privilege vulnerabilities in Win32k. I need to get the most out of it, I know you're just seeing a bad situation get worse if this exploit is used.

"These bugs allow an attacker to elevated privileges and take over a system after they have access to that system," said Dustin Childs of the Trend Micro ZDI.

"There is not much information on how these bugs are being used, but targeted malware seems the most likely source."

Researchers were CVE-2019-0856, a remote code execution flaw in Windows that, oddly, requires the attacker to be logged in and already running code on the vulnerable PC.

"The title lists this as a Remote Code Execution, but the description indicates an attacker would need to log into a system to exploit the bug," Childs noted.

A tree with the roots exposed appears as if it's walking.

A patchy Apache a-patchin: HTTP server gets fix for worrying root access hole

READ MORE

"Either way, considering it affects all Windows versions and that was fixed by 'correcting how Windows handles objects in memory,' – this patch should definitely not be missed."

Office also received fixes for a number of remote code flaws, including four in the Office Access Connectivity Engine, to component of Jet Database.

Microsoft argues that Office RCE is less than a visit to web pages. (, Rather than simply visit to webpage.) Still, given how haphazardly users will open Office documents, admins would be wise to prioritize those updates.

Adobe, meanwhile, has kicked out updates for Acrobat and Reader that address 21 remote code execution in the PDF app.

This month, although that patch only deals with two CVE-listed vulnerabilities that would allow remote code execution. Adobe said it has received no words of active exploits targeting any of the bugs. ®

Updated to add

Late to the patch party came SAP.

For SAP, the month brings 11 security updates including a high-priority fix for an XML external entity (XXE) vulnerability in HANA. Security house Onapsis, whose researchers took credit for discovering the flaw, said the flaw is actually present in a number of SAP products, with HANA being that last to get the fix after NetWeaver and ABAP.

"A special attention should be paid to this critical vulnerability to its likelihood to be used in a targeted attack, based on its ease of exploitation and the potential negative impact to business continuity," Onapsis says / sap-patch-notes-april-2019 of the bug.

"If not patched, the vulnerability would allow an attacker to remotely access critical files from the server and any web app custom code."

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Must Read

Reinvent the Monkees :: Music :: The Monkees :: Paste

When Peter Tork died last month, he recalled that he, Michael Nesmith, and Mickey Dolenz were not the only young...

оплеванная Лера Кудрявцева ответила Алле Пугачевой :: Шоу-бизнес :: Дни.ру

Телеведущая не стала скрывать, что расстроилась из-за критики Аллы Пугачевой. Лера Кудрявцева заметила, что она вынуждена работать в рамках формата. Звезда решила ответить Примадонне ее же фразой:...

Jussie Smollett is fine after having committed alleged hate crimes

Jussie Smollett is doing "pretty well" after his alleged Chicago joke and hopes to be publicly relieved "as soon as all the information comes...

Without General Haftar nothing works | TIME ONLINE

The advance of General Chalifa Haftar began in the east of Libya, in the Cyrenaica - and apparently his local successes moved him, too...