Skip to main content

Post-Patch Tuesday Roundup: April 2019

Post-Patch Tuesday Roundup: April 2019

Networking & security Software Licensing

security patch blog 01

Tim Lovegrove

Security Analyst

Welcome to the April 2019 Patch Roundup, where we look at the latest updates from the main vendors released on Patch Tuesday, and dissect a few of the key releases.


Kicking off this month was VMware, releasing ESXi 6.7 Update 2 a few days ago in line with their 6-month schedule. This includes a number of security fixes, such as an L1TF side-channel vulnerability (similar to Spectre/Meltdown), but also a range of new and updated features.

This includes a change to the Platform Services Controller (PSC) architecture making it simpler to link vCenter servers together, new protocol support for file-based Backup and Restore and a new vSphere Health section. The full feature set is too extensive to dig into here, so head on over to VMware to review the release notes.


It’s been a busy month for Microsoft, with 74 CVEs addressed, of which 16 are Critical and several are being actively exploited in the wild.

Workstation patches take the headlines. Remote Code Execution bugs are fixed in the Chakra scripting engine and MSXML components which could be exploited by embedding code in a compromised website, while Win32k continues to be problematic for Microsoft; this month privilege escalation flaws in Win32k are fixed, and exploits have been seen in the wild already. Despite being classed as “workstation” updates, these affect all versions of Windows and should be applied to any machine that accesses the Internet.

Elsewhere, there are updates for Office, a fix for a XSS vulnerability in SharePoint, and Outlook Web Access for Exchange.


After a comparatively quiet March, Adobe are back with avengeance, dropping updates for Reader, Acrobat and Flash, as well as Shockwave, Dreamweaver, and several other products. The Acrobat and Reader updates clear 21 vulnerabilities, while Flash updates also appear in Microsoft’s release and include a Critical-rated Remote Code Execution flaw.

Get in Touch

If you'd like any advice on the Microsoft, VMware or Adobe patches mentioned above, or any we haven't mentioned here, please get in touch with your Softcat Account Manager, or using the button below.