Microsoft today released its April 2019 software updates to address a total of 74 CVE-listed vulnerabilities in its Windows operating systems and other products, 13 of which are rated critical and rest are rated Important in severity.
April 2019 security updates address flaws in Windows OS, Internet Explorer, Edge, MS Office, and MS Office Services and Web Apps, ChakraCore, Exchange Server, .NET Framework and ASP.NET, Skype for Business, Azure DevOps Server, Open Enclave SDK, Team Foundation Server, and Visual Studio.
None of the vulnerabilities addressed this month by the tech giant were disclosed publicly at the time of release, leaving the two recently disclosed zero-day flaws in Internet Explorer and Edge browsers still open for hackers.
However, two new privilege escalation vulnerabilities, which affect all supported versions of the Windows operating system, have been reported as being actively exploited in the wild.
Both rated as important, the flaws (CVE-2019-0803 and CVE-2019-0859) reside in the Win32k component of Windows operating system that could be exploited by attackers to run arbitrary code in kernel mode on a targeted computer.
Just last month Microsoft patched two similar vulnerabilities in the Win32k component that were also being exploited in targeted attacks by several threat actors including, FruityArmor and SandCat.
Besides this, Microsoft also released updates to patch 13 critical vulnerabilities, and as expected, all of the critical-rated vulnerabilities lead to remote code execution attacks, except one elevation of privileges in Windows Server Message Block (SMB) Server.
All critical vulnerabilities primarily impact various versions of Windows 10 operating system and Server editions and reside in ChakraCore Scripting Engine, Microsoft XML Core Services, SMB Server, Windows IOleCvt Interface, and Windows Graphics Device Interface (GDI).
images from Hacker News