Microsoft issued the April 2019 Security Updates that include 75 unique vulnerability fixes, 16 of them rated critical and two zero-days that were being actively exploited.
The updates address multiple Microsoft products to include: Windows, Edge, Office, Office Services and Web Apps, ChakraCore, ASP.NET, Exchange Server, Team Foundation Server, Azure DevOps Server, Open Enclave SDK, and Windows Admin Server.
All of the 16 critical updates address remote code execution (RCE) bugs.
Win32K zero-day vulnerabilities
Microsoft describes each of the two Win2K vulnerabilities the same way:
“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Microsoft further confirmed that each of the bugs have active exploits detected in the wild.
The 16 critical Microsoft RCE vulnerabilities include (along with product family impacted):
|Vulnerability||Product Family Impacted|
A dozen of the patches rated Important address Elevation of Privilege vulnerabilities in multiple products.
A Proof-of-Concept (PoC) was also made available on public GitHub for one of the elevation of privilege bugs CVE-2019-0841.