April Patch Tuesday 2019
Ever wonder why there are so many updates in April? I figure it is fate giving me an overwhelming number of updates so I can abuse the old adage about April showers bringing May flowers, but what do April patches bring us in May? Hmm… it will come to me.
While I noodle over that, let’s dig into the lineup for April because it is CRAZY!
We got updates from Microsoft, Adobe, Wireshark, Oracle (dropping on April 16), and Opera. We also have a boat-load of end-of-life notices, which raise a number of security concerns that are very timely to discuss, given the recent Arizona Tea ransomware attack that brought the company to a grinding halt.
Microsoft has released 15 updates resolving 74 unique CVEs this month. These updates affect the Windows OS, Internet Explorer and Edge browsers, Office, SharePoint and Exchange. Two of the vulnerabilities (CVE-2019-0803 and CVE-2019-0859) resolved in the Windows OS are being used in exploits in the wild. These are Win32k elevation-of-privilege vulnerabilities that could allow a locally authenticated attacker to run arbitrary code in kernel mode.
Adobe has released seven total updates resolving 43 unique CVEs. Adobe Reader, Acrobat, AIR, Flash, and Shockwave are the most concerning here. You can get updates for Reader, Acrobat, AIR, and Flash, but Shockwave has reached its end-of-life so no update is available for its seven critical vulnerabilities.
Immediate action: Remove Shockwave from your environment! Its seven vulnerabilities are going to leave the majority of Shockwave installs exposed. You can bet an exploit is imminent there.
Wireshark released three updates resolving 10 CVEs. Wireshark is one of those overlooked IT tools that can pose a significant risk to your environment. Ensure it gets updated or removed where it is no longer needed.
Ivanti priorities this month:
- Patch the Windows OS and browsers
- Patch Adobe Reader, Acrobat, AIR and Flash
- Remove Shockwave from your environment unless you have a continued support contract with Adobe to receive updates
- Patch Wireshark
- Investigate the Office, SharePoint, and Exchange updates and get them rolled out in a reasonable timeframe
- Review end-of-life software in your environment and have an action plan in place to eliminate or mitigate risks. I would suggest:
- Remove it (best option)
- Virtualize the workloads
- Reduce access
- Segregate from the rest of your environment
- Limit or remove internet connectivity to those workloads
So if you caught my April Patch Tuesday Forecast on Help Net Security you have seen the nice long list of end-of-life products I went through. Add Shockwave to that list now. Also, if you have not caught up on the latest news we have a real-world example of how neglecting this issue can come back to bite you. Arizona Beverages was hit by a large-scale Ransomware attack that brought the company to its knees. The incident was attributed to outdated systems and systems with updates not yet applied as well as poorly configured backups. Take the time to review this list and look into other products in your environment. Obsolete software is a considerable risk to your environment and needs to be addressed even if removal is not the immediate answer. Have a plan in place to mitigate the risk if elimination is not possible.
Recent and upcoming end-of-life announcements:
- Windows 10 branch 1709 (for Pro licenses) – April 9, 2019
- Windows 10 branch 1607 - April 9, 2019
- XP Embedded POSReady 2009 - April 9, 2019
- Java 8 (last update was January 2019) – January 2019
- Adobe Shockwave - April 9, 2019
- Windows 7 - January 14, 2020
- Server 2008 - January 14, 2020
- Server 2008 R2 - January 14, 2020