The April 2019 Security Update Review

April is upon us and with it comes the latest round of patches from Adobe, Microsoft, and others. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Mozilla and VMware

While we normally don’t talk too much about patches from Mozilla and VMware, there are a couple of patches we wanted to highlight. The first is MFSA2019-09. This patch corrects two CVEs disclosed during our most recent Pwn2Own competition. These bugs were reported on March 21 and patched in Firefox on the 22nd. These bugs were patched in Thunderbird with MFSA2019-12 a few days later. 

VMware also released patches related to Pwn2Own. A few days after Mozilla, VMware released VMSA-2019-0005, which among other things, fixes the TOCTOU and OOB read/write bugs identified by the Fluoroacetate team of Amat Cama and Richard Zhu during Pwn2Own. In perhaps their most elegant demonstration of the contest, the Master of Pwn winners browsed to their specially crafted webpage using Microsoft Edge from within a virtualized Windows 10 client. That single act started the string of bugs that resulted in code execution in the underlying hypervisor. Considering the implications, it’s good to see VMware release the patches to address these vulnerabilities quickly. 

Adobe Patches for April 2019

For April, Adobe released patches eight patches covering Acrobat and Reader, Flash, Bridge CC, Shockwave, InDesign, Dreamweaver, and Experience Manager Forms. A total of 13 of these bugs came through the ZDI program. The patch for Acrobat corrects 21 different CVEs. The worst of these vulnerabilities could allow an attacker to completely take control of an affected system. The update for Flash corrects one Critical remote code execution bugs that can control an affected system if a specially crafted video is viewed using Flash along with an Important-rated info disclosure.

The update for Bridge CC corrects eight CVEs – all of which were reported through the ZDI program. Included are two Critical-rated remote code execution bugs that could allow an attacker run their code in the context of the logged-on user. Shockwave receives fixes for seven RCEs – all of them being related to memory corruption. The patch for InDesign also takes care of a single, Critical-rated RCE. There are two patch traversal RCEs corrected by the fix for Adobe XD. The update for Experience Manager Forms corrects an Important-rated cross-site scripting (XSS) bug. The final offering from Adobe in April takes care of a Moderate-rated data disclosure in Dreamweaver.

Microsoft Patches for April 2019

Microsoft released security patches for 74 CVEs along with one advisory. The patches cover Internet Explorer, Edge, Windows, ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, .NET Framework and ASP.NET, Exchange Server, Visual Studio, Skype for Business, Azure DevOps Server, Open Enclave SDK, and Team Foundation Server. Of these 74 CVEs, 13 are rated Critical and 61 are rated Important in severity. A total of six of these CVEs came through the ZDI program. While none of these bugs are listed as publicly known, two are listed as being under active attack at the time of release.

Let’s take a closer look at some of the more interesting patches for this month, starting with the bugs under active attack:

-       CVE-2019-0803, CVE-2019-0859 – Win32k Elevation of Privilege Vulnerability
No, you’re not experiencing déjà vu. Just like March, there are two similar bugs listed as under active attack. And again, one these bugs was reported by Kaspersky Labs, while this month, the other bug came through the Alibaba Cloud Intelligence Security Team. These bugs allow an attacker to elevate privileges and take over a system after they have access to that system. There’s not much info on how these bugs are being used, but targeted malware seems the most likely source. Regardless, get these rolled out to your systems quickly.

-       CVE-2019-0853 – GDI+ Remote Code Execution Vulnerability
This patch corrects a vulnerability discovered by our own Hossein Lotfi, and corrects a problem in Windows GDI+. The vulnerability occurs when parsing EMF file records. A specially crafted EMF file record can trigger access of an uninitialized pointer, which allows an attacker to execute arbitrary code. Multiple Microsoft components and programs, most notably the OS and Office suite, utilize the GDI+ component. As such, it has been a fertile ground for research over the years.

-       CVE-2019-0688 – Windows TCP/IP Information Disclosure Vulnerability
This patch corrects a bug in the Windows TCP/IP stack that could allow an information disclosure due to Windows improperly handling fragmented IP packets. Data such as SAS token and resource IDs can be leaked back to an attacker. IP fragmentation attacks have existed for years, with things like the Ping of Death and Teardrop being early examples. It’s fascinating to see protocol attacks still exist, even in modern TCP/IP stacks.

-       CVE-2019-0856 – Windows Remote Code Execution Vulnerability
This patch write-up is definitely an oddity. The title lists this as Remote Code Execution, but the description indicates an attacker would need to log on to a system to exploit the bug. Either way, considering it affects all supported Windows versions and that it was fixed by “correcting how Windows handles objects in memory,” – this patch should definitely not be missed.
Note: After the initial publication of this blog, Microsoft revised the description to indicate an authenticated attacker could connect via the Windows Remote Registry Service and thus cause an RCE to occur.

Here’s the full list of CVEs released by Microsoft for April 2019.

Looking at the other patches for April, this release again sees many remote code execution bugs that impact the web browsing experience. Many of these are in the browsers themselves, but other components like VBScript and MS-XML have similar impacts and attack scenarios. For these cases, an attacker would need to convince a user to browse to a specially crafted website or open a specially crafted file. The other code execution bugs affect primarily Office components and the Jet database engine. For these types of bugs, the attacker would need to convince someone to open a specially crafted file.

Next up are a dozen or so info disclosure bugs. We’ve already mentioned the IP fragmentation case, but most of the other ones are the more familiar variety of memory leaks – often used in sandbox escapes. There is also an info disclosure bug in the Open Enclave SDK that could allow attackers to obtain information stored in the Enclave. If you’re using this SDK to develop Enclave applications in C and C++, you should definitely pick up this patch. There are also a dozen elevation of privilege bugs in the April release, with the majority of these occurring in the Windows kernel.

There’s a denial of service in ASP.NET due to improperly handled web requests. This one is especially interesting since remote, unauthenticated attackers could reach the bug. In addition to the previously mentioned RCEs, the web browsers also receive a patch to address a tampering bug. If successfully exploited, it could allow an attacker to pass custom command line parameters – an often-handy ability when targeting an enterprise.

The Azure DevOps Server receives a patch to address an interesting EoP. The bug allows attackers to add GitHub repos to a project without having the proper access granted to their account. According to the bulletin, an attacker would need to send a specially crafted request to an affected server, so it seems there’s more to a successful attack than trying to check in a new repo.

The release is rounded out by a handful of cross-site scripting (XSS) bugs in SharePoint and Team Foundation Server. The Team Foundation Server also gets a spoofing patch. More interestingly, there are two spoofing vulnerabilities fixed in Microsoft Exchange Server. In both cases, an attacker would need to convince a user to click on a malicious link, so there is a level of social engineering involved.

Finally, the lone advisory for this month is Microsoft’s version of the patch for Flash in Internet Explorer, which only contains defense-in-depth fixes for March.

Looking Ahead

The next patch Tuesday falls on May 14, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!