They say that “April is the cruelest month.” Well, when it comes to Microsoft patching, there is some truth to this. With 74 reported vulnerabilities and significant updates to all Microsoft’s major platforms (Windows, browsers, development platforms, Office and Exchange and, of course, Adobe Flash), getting these updates deployed in a timely fashion will be hard work.
One bright note to all this is that we can finally remove Adobe Shockwave. You can find some good patch prioritization advice from Chris Goettl’s April Patch Tuesday posting and you can find more technical patch details on the April Readiness Patch Impact Assessment.
Known Issues
4487563: Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state. To fix this issue, use Services Manager to restore the startup type to “Automatic”.
4493509: After installing this update, Custom URI Schemes for Application Protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer.
Each month, I try to break down the update cycle into product families (as defined by Microsoft) with the following basic groupings.
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (both desktop and server)
- Microsoft Office (Including Web Apps and Exchange)
- Microsoft.NET Core, .NET Core and Chakra Core
- Adobe Flash Player
Browsers
Microsoft has attempted to resolve 13 reported vulnerabilities (non publicly reported or exploited) that have been rated as critical. These vulnerabilities (or CVE’s) are grouped across the following areas:
- Microsoft Browsers Tampering Vulnerability
- Chakra Scripting Engine Memory Corruption Vulnerability
- Microsoft Edge Information Disclosure Vulnerability
- Microsoft Scripting Engine Information Disclosure Vulnerability
Given that these issues cover most memory areas and scripting across both Microsoft browsers, add this update to your “Patch Now” schedule.
Windows
This is a massive update this month for the Microsoft Windows platform. With this April Patch Tuesday, Microsoft has attempted to resolve nine critical vulnerabilities and 30 (count’ em) vulnerabilities rated as important. In addition, it appears that reported issues (CVE-2019-0803 and CVE-2019-0859) have been exploited. It also appears that both these issues related to a Win32K driver issue—which is always bad news. Bad news for future problems and difficult to troubleshoot scenarios.
In addition to these severe reported vulnerabilities there have been significant updates to the following Windows components:
- Security updates to Windows Datacenter Networking
- Windows Server
- The Microsoft JET Database Engine
- Windows Kernel
- Windows Input and Composition
- Microsoft Scripting Engine
- Windows App Platform and Frameworks
- Windows Storage and File systems
- Microsoft Graphics Component
- Windows Virtualization
- Windows MSXML
- Windows SQL components
- Microsoft Edge
This is a massive update and needs to be heavily tested and then deployed as quickly as possible. Sorry—add this one to your Patch Now list.
Microsoft Office
This month both Microsoft Office and Exchange are reported to have 12 vulnerabilities rated as important by Microsoft. These security issues cover the following basic areas:
- Microsoft Graphics Components Remote Code Execution Vulnerability
- Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
- Microsoft Office SharePoint XSS Vulnerability
- Microsoft Exchange Spoofing Vulnerability
The most serious of these issues could lead to a remote code execution scenario. However given that all of the exploits require specially crafted files on targeted systems with logged on users with admin rights, this patch can be added to your scheduled patch deployment effort.
Development Tools (.NET and Chakra Core)
The story for updating Microsoft development tools is a little more nuanced than usual. Microsoft has attempted to resolve seven critical vulnerabilities in the Chakra Core system and 11 important updates to the Microsoft Team Foundation Server. See if you can get the Chakra updates out as quick as possible and schedule the Team Foundation changes with your normal patch process.
Adobe
The big news for Adobe fans (and reluctant users) is that Shockwave has reached end of support. Just remove Shockwave from ALL of your systems. Do this as soon as you can, as I am sure next month we will be advising on massive zero-days for the belated platform. In addition, Adobe has attempted to resolve two vulnerabilities in Adobe Flash Player (CVE-2019-7096, CVE-2019-7108) both rated as critical. Add the Adobe update to your Patch Now list.