Microsoft April Patch Tuesday updates are out with numerous bug fixes. Apart from the other vulnerabilities, Microsoft has also patched two potentially exploitable zero-day bugs.
Two Zero-Day Bugs Affecting Windows Patched
Microsoft April Patch Tuesday updates fixed two serious zero-day flaws affecting Windows users. These vulnerabilities include CVE-2019-0803 and CVE-2019-0859, both of which could result in elevation of privilege.
According to Microsoft advisories, both zero-day vulnerabilities existed in Win32k component of Windows. Microsoft has given the same description for both, which reads,
“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Microsoft stated that to exploit the flaws, a potential attacker had to log on to the target system first. The vendors rectified the bugs by correcting the way of handling objects in memory by Win32k.
Although, both CVE-2019-0803 and CVE-2019-0859 had a similar impact the latter, discovered by Kaspersky Lab researchers, had a CVSS base score of 7.8. Whereas, the previous one had a CVSS base score of 7.
Other Fixes With Microsoft April Patch Tuesday
Apart from the zero-day flaws, Microsoft also rolled-out fixes for other security bugs. Some important flaws existed in Microsoft Office Access Connectivity Engine that could allow an attacker for remote code execution. Precisely, these include three different vulnerabilities; CVE-2019-0824, CVE-2019-0825, and CVE-2019-0827, discovered by different researchers. However, all of them exhibited similar effect as described by Microsoft.
“A remote code execution vulnerability exists when the Microsoft Office Access Connectivity Engine improperly handles objects in memory… An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file.”
Microsoft confirmed no active exploits for all three bugs.
The other products receiving security fixes with this update bundle include Microsoft Edge, Internet Explorer, Adobe Flash Player, Microsoft Windows, ChakraCore, Team Foundation Server, Microsoft Office and Microsoft Office Services and Web Apps, Microsoft Exchange Server, ASP.NET, Open Enclave SDK, Azure DevOps Server, Windows Admin Center.
In March also, Microsoft Patch Tuesday updates brought fixes for two zero-day vulnerabilities. One of them particularly affected Windows 7 users, whereas, the other one affected all Windows versions, including Windows 10.
Let us know your thoughts in the comments section.