Transcript
I am accompanied by Mika to do this patch Tuesday. Hi Mika. Hi Lauriane, hello everyone. As always in the Dock section of Goldcast, you will find several elements today. The first is the presentation of today. There are a lot of news links that you can find directly in the presentation. Do not hesitate to get them now. There are other links, again on the management of the asset exposure. And a link also to register, if you wish, to our event, Eventi Live, which will take place in Paris on June 17. We will talk about products, we will talk about roadmaps, we will talk about IA, so lots of interesting topics. In the Documents section of Goldcast. Agenda side, always the same, we will review, we will do a small overview of the patch Tuesday of the month of April, address some topics and, as always, we will make a point on the bulletins, the publications of this month. And then we will see what happened between the patch Tuesday of March and that of April. So, a lot of activities that take place between these monthly events. This often leads to a sensitization of the corrective actions that must be admitted in order to remain urgent. The patch Tuesday of April was rather tough and above all preceded by a lot of agitation on the security side. Even before the release of the Microsoft patches, we saw two major zero-days, especially on Google Chrome in early April and also on Adobe Acrobat Reader a few days before this patch Tuesday. As a result, some attackers already had a long way to go before many companies were aware of it. In total, Microsoft corrected 169 vulnerabilities, which makes it one of the biggest patch Tuesdays in history, just behind that of October 2025. In the lot, one zero-day was actively exploited, a vulnerability already made public and a majority of important classified bugs, even if they are important, should not be underestimated. The most critical zero-day concerning Microsoft SharePoint, even if it is not critically classified by Microsoft, it was exploited in the wild and can allow an attacker to access sensitive information or modify it. Clearly, if you have SharePoint on-prem, it is a priority. Nukia will talk about it in more detail just after. Another false point, a flaw in Microsoft Defender already made public with available proof-of-concept code. This clearly increases the risk of exploitation, especially for local privilege elevations. Nukia will make a point on this just after the news. On the third-party side, AdDom did not complain either. 12 updates this month, we will talk about them in the bulletins, including the one that corrects the acrobatic zero-day. In total, more than 50 CVEs were corrected with many critical flaws. It is also difficult to wait for the next cycle of maintenance. We will make a point on this in the bulletins and releases. Another important topic, with the arrival of very powerful AI models capable of finding flaws in the code, we have to focus on more zero-day, more often, and especially on correctives that come out of the usual monthly cycles. Basically, managing security only once a month becomes less and less realistic. To sum up, absolute priority on Chrome, AdDom Acrobat and SharePoint. Do not underestimate the major flaws, especially when they are already exploited in public cases. And above all, start to reason in risk exposure management rather than in simple patch management of the calendar. Before going into the details of the patch Tuesday, the bulletins and releases, I just wanted to come back to several remarkable news in recent weeks. They are interesting not only individually, but especially because they draw a crazy trend. There are more and more critical vulnerabilities. Vulnerabilities happen more quickly and are often outside of traditional operational frameworks. The first link concerns Adobe Reader, with a zero-day exploited via malicious PDFs. Since December 2025, there is a zero-day vulnerability that is actively exploited via trapped PDF files. These documents are distributed mainly by targeted files, but also via compromised sites. Technically, the exploitation is particularly effective because it is based on a very banal action, opening a PDF. There is no need for macros, no need for additional clicks, no need for executable files. What is problematic here is the duration of the exploitation, because for several weeks, even several months, attackers have been able to exploit this flaw before many organizations detect it or prioritize it as a really critical vulnerability. In practice, this ultimately reveals two things. First, utility applications such as PDF readers remain a critical attack surface. And then, above all, the editor correctives that come out outside of the monthly cycle must be integrated into a slightly more dynamic patching logic. The second subject that affects Google Chrome. In early April, Google confirmed the active exploitation of a critical zero-day, potentially affecting 3.5 billion users. The vulnerability allows the execution of remote codes via a malicious web page. The important point here is not only the existence of zero-day, but above all its frequency. It is already the 4th zero-day that Chrome has corrected since the beginning of the year 2026. Clearly, the browser has become a central component of the company. It gives access to cloud applications, to data, to identities, sometimes even to internal tools. So exploiting the browser is often bypassing several layers of defense at once. So for IT teams, the issue is not only whether the browsers are updated or whether they are updated, but above all at what speed, with what visibility and above all with what level of control on the versions that are actually deployed. Another current subject, the Glasswing project, which is a subject that is a little more strategic. The Glasswing project is an anthropomorphic cloud model. This project has shown that an AI can not only identify unknown vulnerabilities, but also chain several flaws to build real operating chains, where ultimately human audits or automated tools have failed for decades. The key message is quite fundamental. The discovery of vulnerability is becoming much faster than our ability to correct. It challenges the traditional approaches we have, i.e. scanning, sorting by CVSS score, patching in the next cycle. In a world where discovery is accelerating, the real question becomes what do we correct in priority, under what delay, depending on the real risk and the business context. And this is where tools like RBVM, Risk-Based Vulnerability Management, make all the sense. These are tools that allow you to ingest data from vulnerability scanners and make a priority list of these vulnerabilities. And then also take into account the context of the company. If the assets are exposed on the Internet, if the assets are critical, all this is taken into account by tools such as RBVM. Another subject, there are quite a few for this patch Tuesday, Apple. We observed a fairly rare decision from Apple, which published security corrections for iOS 18, including on devices capable of migrating to iOS 2026. This decision follows the leak of the Dark Sword kit, a complete chain of operations that allows you to compromise an iPhone via a simple visit on a malicious web site without user interaction. This type of exploit is typically used in targeted campaigns, sometimes linked to state surveillance, but its public publication has changed the risk equation. The signal sent by Apple is quite strong, since the threat is serious enough to justify a temporary softening of its support policy, which is quite rare from Apple. For companies, this underlines the importance of integrating mobile terminals in vulnerability management strategies, as well as workstations, with MDM, MTD and vulnerability management. Microsoft. If we now look at the evolution of Microsoft around Remote Desktop, reinforced security for Remote Desktop, with the April updates, Microsoft introduced new security alerts when an RDP file is opened, for the simple and good reason that RDP files are widely used in phishing campaigns. They automatically redirect local resources, such as disks, paper presses, peripherals, to a server remotely controlled by an attacker. Now, the user clearly sees what parameters are required, and everything is deactivated by default. An explicit warning is also displayed during the first use. This is a clear improvement in terms of security, but it can still impact some automated IT usage. For the IT team, these changes must be anticipated, and above all, they must be explained to users and concerned teams. Sorry. Microsoft 365. The evolution of Office updates channels. This is also another structuring announcement, the evolution of the Microsoft 365 App updates channels from July 2026. So, the semi-annual Enterprise channels, historically chosen for their stability, and the low rate of change, will receive monthly updates, aligned with the monthly Enterprise channel. The goal is to simplify the ecosystem of channels, and improve the dissemination of security correctives. But concretely, this means more functional changes, more frequently, and even in very conservative historical environments. All organizations and companies must strengthen their validation and communication processes with users. The end of support. Announced for Windows Server 2016, Windows 10 Long-Term Support Branch, the small calendar item, but which still has very concrete applications. Windows 10 Enterprise 2016, TSB will arrive at the end of support in October 2026, and Windows Server 2016 in January 2027. As usual, Microsoft offers ESUs, Extended Security Updates, to extend the coverage, but only for critical correctives, and above all, a growing number each year. ESUs must be seen as a temporary security net, and not as a long-term strategy. Because the longer it takes to migrate, the higher the cost and the increased risk. And finally, another topic I wanted to highlight, Microsoft is removing Sara, the Support and Recovery Assistant tool, from the March 2026 updates. You may have noticed. It is a tool that was widely used to diagnose and correct problems related to Office, Microsoft 365 or Outlook. It is replaced by the Get Help online command tool, based on a more modern and secure infrastructure. So, Get Help. For IT teams, it involves updating existing scripts and adapting automated support processes. It is representative of a wider trend, the gradual removal of legacy tools, in favor of more integrated and secure solutions. If we take a step back, all these news stories tell the same story. Faster threats, more frequent correctives, editor changes that force us to review the operational models of organizations. We can see that security can no longer be only monthly or calendar-based. It must be oriented towards exposure, prioritization and, above all, the ability to react quickly. So, I'll leave it to Mika to explain the rest of the patch. Thank you, Lauriane. We'll start with the releases, before moving on to the bulletins. Mr. Trumpett-Lyde. So, on Microsoft Defender, we have a vulnerability that has been publicly disclosed. The good news is that Microsoft is very clear. There is nothing special to do. Defender updates itself very regularly via the platform and the signatures. If your scan tools continue to go up, even when Defender is disabled, don't panic. The files are still on the disk, and the system is not exploitable. So, here's a simple message. Let Defender do its job, and we'll move on. Here, we clearly change the level of priority on SharePoint. Lauriane talked about it a bit in the introduction. It's a SharePoint vulnerability that is actively exploited. So, we're no longer in theory. It's happening now. It affects the 2016-2019 on-prem versions and subscription editions, and allows for spoofing with possible access to sensitive data. So, here, the message is simple. If you have on-prem SharePoint, it's the patch to prioritize. It's one of the most urgent patches. On Linux, we're going to focus a lot on Linux. Here, the first one is that we're on a very critical vulnerability, CVSS 9.8, related to TLS management. It's a fairly classic running condition, but with a potentially serious impact on some servers. The good news is that a patch is already available. So, deploy it. The kernel is being updated and highly recommended. The second notable Linux vulnerability this month, this time in the Wi-Fi stack. We're talking about a buffer overflow related to a parameter control problem, especially in environments that use Wi-Fi multilink. It's mainly to monitor mobile posts or connected equipment. Again, the message is simple, update your kernel. The third and last point on Linux, a vulnerability related to Xen that can cause problems in some scenarios with Secure Boot. In very specific cases, a root user could bypass some expected protections. Here, the correct answer is that a root user could bypass some expected protections. Here, the correct answer is already integrated in the recent kernels. Again, patch it, especially if you're in sensitive virtualized environments. A quick point on the Ivanti domain. Several bulletins published this month for ETSM, Endpoint Manager and EPMM. There is no known operation at this stage, which is reassuring. However, some CVSS scores are high, so you still need to check your versions, especially in on-prem. Of course, Cloud environments have already been updated. Lifecycle in Windows 11. Here is an important reminder if you're on Windows 11. The versions run quite quickly and some quickly reach the end of support, especially with Home and Pro. The key message here is to anticipate and avoid ending up in support without a clear migration plan. On the server side, we are on something more stable with the LTSC model. Releases every 2 to 3 years, 5 years of standard support and 5 years of extended support. Windows Server 2016 is coming to an end and 2022 is approaching the end of mainstream support. Here is some information to tell you that this is the right time to review your server strategies. On the Windows 10 side, 22H2 is now officially out of support. Microsoft offers a 3-year ESU program but with an important point, the price doubles every year. Ivanti offers an alternative on Microsoft, but with a fixed price that can clearly make a difference depending on the size of your environment. Update of interest. Here is a quick overview of some interesting Microsoft updates this month. We have the servicing stack updates from update.net, Azure, Visual Studio, PowerShell. Here, nothing urgent or blocking, these are important bricks to integrate into your usual maintenance cycles. And the last announcement before moving on to the bulletin. All Ivanti patch content announcements are published on community forums. I really advise you to subscribe to the products that concern you by following this link, you will have a product suite. It's quite simple and it allows you to keep up to date. And to you, Lauriane, for the bulletins. Yes, a bulletin, a release, it works. For the first part of the bulletins, we will really focus on the Adobe corrections that were published this month. What is striking is really global coherence, that is, a series of bulletins with maximum critical severity that touches very used applications, exposed to files from the outside. And even if Adobe indicates each time, systematically, not to have knowledge of the proactive, the history shows us that these vulnerabilities are still regularly weaponized, so exploitable, in the weeks or months that follow. So, let's start. I see that some titles are missing, but they must be. It must be a bug on the Goldcast side. I think they are well present in the presentation. So, we start the bulletin with APS-B 2644. I will try to give the title each time. So, it's Adobe Acrobat and Reader, which concerns Windows and Mac with DC version of the Classics 2024. So, we are on a critical severity, vulnerabilities are corrected, a critical and unimportant, with impacts that include the exclusion of arbitrary code and the disclosure of information. The typical scenario is really the opening of a malicious PDF file, often received by e-mail or downloaded from an external source, and that's what makes Acrobat Reader particularly sensitive. It's really an omnipresent application, used by almost all users. So, Adobe indicates not having observed any active exploitation at this stage, but in practice, we all know that this type of correction must be considered as a priority. Note also that a restart is required for the correction to be effective. Back to the titles. Great. Second bulletin, for Adobe Illustrator version 29.8.5 and 30.2. Again, critical severity, maximum, only one vulnerability corrected, 2026.34.618, which allowed arbitrary string execution. The user interface is more limited than for Reader, but the risk is very real in creative environments, especially when dealing with files sent by clients or external partners. Again, restart required to finalize the application of the correction. Still on Adobe, Photoshop version 27.4, a critical vulnerability only corrected, under the reference of CVE-2026-27-289, with an impact, again, of arbitrary code execution. Photoshop, which is widely used in business contexts, is often used to open files from multiple sources. Even if no active is reported, this type of failure remains at high risk. Again, restart of the required application for the application after the deployment of the correction. Adobe Bridge version 15.1 LTS and 16.0.2, is a particularly loaded project, since there are six vulnerabilities corrected, one critical and one important. The impacts cover both the execution of arbitrary code and the denial of service. Adobe Bridge, which is often perceived as a passive tool for navigation and pre-visualization. It can still be exposed to many files stored locally or on network sharings, so you have to be really careful. Again, restart of the required application after the deployment of the correction. Adobe Connect, Adobe Connect and the associated desktop application. We are talking about nine vulnerabilities corrected, seven critical. The impacts include arbitrary code execution and denial of service. Adobe Connect, which is mainly used in collaborative contexts of training and communication. The stake is not only at the customer level, but potentially at the global environment level. No known active exploitation, but it is a tool that deserves special attention. Still on Adobe, Inkopi version 21.2 and 25.2. Two critical vulnerabilities are corrected, with an impact of arbitrary code execution. Inkopi, which is often integrated in professional editorial channels. This means that a compromise can spread beyond a simple isolated post. Again, restart of the required application after the deployment of the correction. Finally, Adobe InDesign. Eight vulnerabilities are corrected, six critical, with multiple impacts. Arbitrary code execution, denial of service, and dissemination of information. InDesign often deals with complex files and resources. This increases the risk level in production environments. Let's move on to Microsoft, with Windows 11 Update, version 23.2, 24.2, 25.2, 26.1, as well as Windows Server 2027 and Edge Chromium. This is a maximum critical severity update. It is a bulletin that brings together several cumulative updates, referenced in particular by the KBs that are listed on the slide, and which depend on Windows versions. In total, Microsoft corrects 128 vulnerabilities. The impacts cover a very wide spectrum. Arbitrary code execution, security mechanisms, deprivation of privileges, denial of service, alteration of the system, dissemination of information. At this stage, Microsoft does not report any vulnerabilities actively exploited, or publicly disclosed failures. This does not mean that the risk is zero, but that the remediation window is still favorable. And so, as with any cumulative Windows update, a restart is required, which can require a little piloting on the IT side, especially on slightly critical machines. Regarding the non-issue problems that were encountered after the installation of the patch, the common point is BitLocker. On the Windows Server 2025 version, two elements are to be known. The first element is a change on the WSUS side. Microsoft temporarily deleted the detailed display of certain synchro errors, in the event of a mitigation for a vulnerability of remote code. The second point is that some systems can ask for the BitLocker recovery key during the first restart after the installation of the update, if the recommended BitLocker strategy is not correctly configured. Same behavior in BitLocker observed on Windows 11 for versions 23h2, 24h2 and 25h2. Concretely, it can be translated by users blocked by asking for a recovery key that they still do not have. It is not a security issue to talk about, but rather an important operational risk if the BitLocker keys are not correctly saved in the Active Directory, in Entra or in another secure box. Windows 10, Micah. Thank you, Laurie-Amy. Windows 10, Windows update for Windows 10 LTSB and servers. Here, more than 120 vulnerabilities corrected this month, with quite large impacts, execution of code, elevation of privileges, loss of information. There is no known operation at this stage, but Microsoft seems to be starting up again and is required to properly plan this update. Known issues for Windows 10 and servers. Here we have a summary of known problems after installation. We mainly find points of concern but it is important to consult the associated KBs, especially if you deploy on a large scale. Point net, a monthly roll-up with some vulnerabilities of the type of need service. Once again, no known operation and in most cases, no need to restart the machine here. It is integrated in the standard cycles. Microsoft Office. Here we will focus on the old versions, including versions close to the end of support. We are mainly on vulnerabilities of remote code execution, so to take into account. Here, Microsoft tells us that a restart of applications is necessary, but no known problem. Microsoft 365 and Office LTSC. Same logic for Microsoft. Same logic here. A dozen corrected vulnerabilities but no known operation. It is a highly recommended patch, especially on highly exposed user posts. SharePoint, security bulletin. Two vulnerabilities corrected here, including the one that is actively used. The message here remains the same. Immediate patch recommended on all environments concerned. Last bulletin on Microsoft's side on SQL servers. A vulnerability of privilege elevation, but fortunately not exploited to this day. Microsoft indicates that a restart is necessary, but no known problem. Once again, the same logic for Microsoft. Same logic here. A dozen corrected vulnerabilities but no known operation. It is a highly recommended patch, especially on highly exposed user posts. Last bulletin on Microsoft's side on SQL servers. A vulnerability of privilege elevation, but fortunately not exploited to this day. It is a highly recommended patch, especially on highly exposed user posts. Last bulletin on Microsoft's side on SQL servers. A dozen corrected vulnerabilities but no known problem. It is a highly recommended patch, especially on highly exposed user posts. Last bulletin on Microsoft's side on SQL servers. A dozen corrected vulnerabilities but no known problem. It is a highly recommended patch, especially on highly exposed user posts. Last bulletin on Microsoft's side on SQL servers. A dozen corrected vulnerabilities but no known problem. Last bulletin on Microsoft's side on SQL servers. A dozen corrected vulnerabilities but no known problem. Last bulletin on Microsoft's side on SQL servers. A dozen corrected vulnerabilities but no known problem. Last bulletin on Microsoft's side on SQL servers. A dozen corrected vulnerabilities but no known problem. Last bulletin on Microsoft's side on SQL servers. A dozen corrected vulnerabilities but no known problem. Last bulletin on Microsoft's side on SQL servers. A dozen corrected vulnerabilities but no known problem. Last bulletin on Microsoft's side on SQL servers. A dozen corrected vulnerabilities but no known problem. Last bulletin on Microsoft's side on SQL servers. A dozen corrected vulnerabilities but no known problem. Because they offer a privileged access to the internal environments. to the internal environments. We continue with Docker then Firefox. Docker for Windows which corrects a vulnerability, which may seem minor but still, Docker remains a key component in development environments and sometimes in production. On the Firefox side, we observe volumes as high as 36 corrected vulnerabilities and specific correctives for ESR versions. As for Chrome, alternative browsers may be treated with the same level of priority especially in environments where they are authorized and standardized. Foxit PDF Editor and Reader There are several declines the classic version, the Enterprise version the subscription version In any case, we find 7 corrected vulnerabilities per version. The PDF Editor and Reader remain a major attack a major attack just like Adobe Reader and the simple fact of opening a PDF can trigger an operation. We continue with Foxit PDF Reader but this time on Consumer and Enterprise editions always with the same vulnerability load I will not go over each CVE, but you have the list at least for the slides and then GIMP which corrects 5 vulnerabilities We are on a graphic tool which is often used to open files from external sources so be careful about this part This slide is particularly interesting for development environments. We have Golang which corrects 10 vulnerabilities and Node.js which corrects 7 vulnerabilities both on the current version and on the LTS version so the development runtimes are not only tools for developers they are often embedded in business applications, scripts or internal tools so a vulnerable runtime can quickly become an indirect entry point in the environment On this slide we find a set of tools also very common Python, OpenJDK Thunderbird Python corrects 3 vulnerabilities OpenJDK corrects 4 Thunderbird has quite high volumes since we are on almost 50 vulnerabilities finally corrected on certain versions Mail clients are privileged targets since they usually contain joint pieces, links and frequent user interactions and always on Thunderbird with standard versions and ESR we still observe frequent and necessary correctives especially in environments where Thunderbird remains the main messenger so even if ESR versions offer more stability they require as much rigorous monitoring as security updates Let's move on to Apple with Micka Thank you, Lauriane A short summary on the information on Apple's side it is loaded with a lot of security updates both on Apple OS and on widely used applications like browsers or collaborative tools We clearly see that the Apple ecosystem is today at the same level of volume of correctives as Windows and that it must be fully integrated in the patching strategies Here we go into a little more detail with native Apple updates macOS Sonoma Sequoia and Tahoe all receive important correctives with several dozen vulnerabilities corrected each time Safari is also concerned The key message on this slide of updates with CVE is that these updates are highly recommended it is not cosmetics it is real security risks Here we start the third application part on macOS First big topic, Google Chrome Updates are corrected this month with sometimes critical vulnerabilities Chrome remains a priority target whatever the OS So updates must be applied quickly including on Mac Same with Firefox with several versions concerned including the ESR versions We are talking here about multiple vulnerabilities mainly related to code execution and memory management For environments that use Firefox Firefox, ESR on macOS the patch here is clearly recommended We focus on Microsoft Edge still on macOS Several successive updates this month with a high number of vulnerabilities corrected. So even if Edge is sometimes perceived as less exposed it remains based on Chromium so the same patching existences are applied Logically, with other versions of Edge what must be kept in mind here is the high rate of corrections sometimes a few heavy intervals It highlights the importance of having reactive update processes especially for browsers On this slide we find both Edge and Microsoft Teams, still on macOS Teams is often widely deployed and yet sometimes forgotten on the security side So, same message for classic browsers collaborative tools are part of the attack surface and we encourage to patch them very regularly A little focus on Opera less widespread than Chrome or Edge but still present in some environments so it's several vulnerabilities that have been corrected linked to Chromium So, if Opera is authorized in your parks consider watching this patch campaign And finally, focus on Thunderbird standard and ESR versions the volume of vulnerabilities corrected is important, especially for ESR versions For organizations still using Thunderbird as main mail client the update is clearly recommended especially in sensitive contexts Thank you all for your attention I see there were some sound issues I'm sorry, I didn't see them before In any case, this is a session that is recorded So, you can find this recording on the event page of the Patch Choose Day And we will try to fix this issue next time I don't see any other questions Thank you all for your attention and see you next month Goodbye Thank you all Goodbye
