Microsoft’s June 2019 Patch Tuesday fixes many of SandboxEscaper’s zero-days
Image: Microsoft
Microsoft has published today its monthly roll-up of security updates, known as Patch Tuesday. This month, the OS maker has patched 88 vulnerabilities, among which 21 received a rating of “Critical,” the company’s highest severity ranking.
Furthermore, the May 2019 Patch Tuesday also included fixes for four of the five zero-days that a security researcher and exploit seller by the name of SandboxEscaper published online over the course of the last month.
Security patches are available for:
Fixes for a fifth zero-day weren’t ready in time, as SandboxEscaper published details about this bug only last week, on Friday, June 7, leaving Microsoft no time to put together and test a patch.
The good news is that despite details and proof-of-concept demo exploit code being available for all these four zero-days, none of them were incorporated in malware campaigns.
Furthermore, of all the 88 vulnerabilities patched this month, none was exploited in the wild either.
Other important fixes
But besides patches for Windows and Office products, Microsoft also issued a security advisory about separate firmware updates for HoloLens devices.
This month, Microsoft patched four remote code execution (RCE) flaws that affect the Broadcom wireless chipset included in Microsoft HoloLens devices.
The four RCEs are CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, and CVE-2019-9503.
And since RCEs are about the worse bugs around, we’ll also highlight that Microsoft also patched nine RCEs in the Chakra Scripting Engine (included with Edge), four RCEs in the Microsoft Scripting Engine, three RCEs in the Microsoft Hyper-V hypervisor, an RCE in the Microsoft Speech API, and an RCE impacting both Edge and Internet Explorer.
Faulty BLE security keys won’t work anymore
Last, but not least, Microsoft also warned that some Bluetooth-based security keys would stop working on Windows after applying today’s patches.
More specifically, Microsoft is referring to Feitian and Google Titan security keys, which contain a misconfiguration in the Bluetooth pairing protocols that allows an attacker to interact with the key.
“Microsoft has blocked the pairing of these Bluetooth Low Energy (BLE) keys with the pairing misconfiguration,” the OS maker said.
Users of these devices are advised to look into requesting a free replacement, which both Google and Feitian are providing for free.
Additional info
Since the Microsoft Patch Tuesday is also the day when other vendors also release security patches, it’s also worth mentioning that Adobe and SAP have also published their respective security updates earlier today.
More in-depth information on today’s Patch Tuesday updates is available on Microsoft’s official Security Update Guide portal. You can also consult the table embedded below or this Patch Tuesday report generated by ZDNet.
TagCVE IDCVE Title Servicing Stack Updates ADV990001 Latest Servicing Stack Updates Adobe Flash Player ADV190015 June 2019 Adobe Flash Security Update Microsoft Devices ADV190016 Bluetooth Low Energy Advisory Microsoft Devices ADV190017 Microsoft HoloLens Remote Code Execution Vulnerabilities Microsoft Exchange Server ADV190018 Microsoft Exchange Server Defense in Depth Update Kerberos CVE-2019-0972 Local Security Authority Subsystem Service Denial of Service Vulnerability Microsoft Browsers CVE-2019-1081 Microsoft Browser Information Disclosure Vulnerability Microsoft Browsers CVE-2019-1038 Microsoft Browser Memory Corruption Vulnerability Microsoft Edge CVE-2019-1054 Microsoft Edge Security Feature Bypass Vulnerability Microsoft Graphics Component CVE-2019-1018 DirectX Elevation of Privilege Vulnerability Microsoft Graphics Component CVE-2019-1047 Windows GDI Information Disclosure Vulnerability Microsoft Graphics Component CVE-2019-1046 Windows GDI Information Disclosure Vulnerability Microsoft Graphics Component CVE-2019-1013 Windows GDI Information Disclosure Vulnerability Microsoft Graphics Component CVE-2019-1015 Windows GDI Information Disclosure Vulnerability Microsoft Graphics Component CVE-2019-1016 Windows GDI Information Disclosure Vulnerability Microsoft Graphics Component CVE-2019-1048 Windows GDI Information Disclosure Vulnerability Microsoft Graphics Component CVE-2019-0977 Windows GDI Information Disclosure Vulnerability Microsoft Graphics Component CVE-2019-0960 Win32k Elevation of Privilege Vulnerability Microsoft Graphics Component CVE-2019-0968 Windows GDI Information Disclosure Vulnerability Microsoft Graphics Component CVE-2019-1049 Windows GDI Information Disclosure Vulnerability Microsoft Graphics Component CVE-2019-1050 Windows GDI Information Disclosure Vulnerability Microsoft Graphics Component CVE-2019-0985 Microsoft Speech API Remote Code Execution Vulnerability Microsoft Graphics Component CVE-2019-1010 Windows GDI Information Disclosure Vulnerability Microsoft Graphics Component CVE-2019-1009 Windows GDI Information Disclosure Vulnerability Microsoft Graphics Component CVE-2019-1011 Windows GDI Information Disclosure Vulnerability Microsoft Graphics Component CVE-2019-1012 Windows GDI Information Disclosure Vulnerability Microsoft JET Database Engine CVE-2019-0905 Jet Database Engine Remote Code Execution Vulnerability Microsoft JET Database Engine CVE-2019-0974 Jet Database Engine Remote Code Execution Vulnerability Microsoft JET Database Engine CVE-2019-0904 Jet Database Engine Remote Code Execution Vulnerability Microsoft JET Database Engine CVE-2019-0906 Jet Database Engine Remote Code Execution Vulnerability Microsoft JET Database Engine CVE-2019-0908 Jet Database Engine Remote Code Execution Vulnerability Microsoft JET Database Engine CVE-2019-0909 Jet Database Engine Remote Code Execution Vulnerability Microsoft JET Database Engine CVE-2019-0907 Jet Database Engine Remote Code Execution Vulnerability Microsoft Office CVE-2019-1035 Microsoft Word Remote Code Execution Vulnerability Microsoft Office CVE-2019-1034 Microsoft Word Remote Code Execution Vulnerability Microsoft Office SharePoint CVE-2019-1032 Microsoft Office SharePoint XSS Vulnerability Microsoft Office SharePoint CVE-2019-1036 Microsoft Office SharePoint XSS Vulnerability Microsoft Office SharePoint CVE-2019-1031 Microsoft Office SharePoint XSS Vulnerability Microsoft Office SharePoint CVE-2019-1033 Microsoft Office SharePoint XSS Vulnerability Microsoft Scripting Engine CVE-2019-1002 Chakra Scripting Engine Memory Corruption Vulnerability Microsoft Scripting Engine CVE-2019-0991 Chakra Scripting Engine Memory Corruption Vulnerability Microsoft Scripting Engine CVE-2019-1080 Scripting Engine Memory Corruption Vulnerability Microsoft Scripting Engine CVE-2019-1023 Scripting Engine Information Disclosure Vulnerability Microsoft Scripting Engine CVE-2019-0993 Chakra Scripting Engine Memory Corruption Vulnerability Microsoft Scripting Engine CVE-2019-0992 Chakra Scripting Engine Memory Corruption Vulnerability Microsoft Scripting Engine CVE-2019-1024 Chakra Scripting Engine Memory Corruption Vulnerability Microsoft Scripting Engine CVE-2019-0990 Scripting Engine Information Disclosure Vulnerability Microsoft Scripting Engine CVE-2019-0988 Scripting Engine Memory Corruption Vulnerability Microsoft Scripting Engine CVE-2019-0989 Chakra Scripting Engine Memory Corruption Vulnerability Microsoft Scripting Engine CVE-2019-1055 Scripting Engine Memory Corruption Vulnerability Microsoft Scripting Engine CVE-2019-1052 Chakra Scripting Engine Memory Corruption Vulnerability Microsoft Scripting Engine CVE-2019-1051 Chakra Scripting Engine Memory Corruption Vulnerability Microsoft Scripting Engine CVE-2019-0920 Scripting Engine Memory Corruption Vulnerability Microsoft Scripting Engine CVE-2019-1003 Chakra Scripting Engine Memory Corruption Vulnerability Microsoft Windows CVE-2019-1069 Task Scheduler Elevation of Privilege Vulnerability Microsoft Windows CVE-2019-1064 Windows Elevation of Privilege Vulnerability Microsoft Windows CVE-2019-0888 ActiveX Data Objects (ADO) Remote Code Execution Vulnerability Microsoft Windows CVE-2019-1025 Windows Denial of Service Vulnerability Microsoft Windows CVE-2019-1045 Windows Network File System Elevation of Privilege Vulnerability Microsoft Windows CVE-2019-1043 Comctl32 Remote Code Execution Vulnerability Microsoft Windows CVE-2019-0710 Windows Hyper-V Denial of Service Vulnerability Microsoft Windows CVE-2019-0709 Windows Hyper-V Remote Code Execution Vulnerability Microsoft Windows CVE-2019-0722 Windows Hyper-V Remote Code Execution Vulnerability Microsoft Windows CVE-2019-0943 Windows ALPC Elevation of Privilege Vulnerability Microsoft Windows CVE-2019-0713 Windows Hyper-V Denial of Service Vulnerability Microsoft Windows CVE-2019-0983 Windows Storage Service Elevation of Privilege Vulnerability Microsoft Windows CVE-2019-0984 Windows Common Log File System Driver Elevation of Privilege Vulnerability Microsoft Windows CVE-2019-0711 Windows Hyper-V Denial of Service Vulnerability Microsoft Windows CVE-2019-0948 Windows Event Viewer Information Disclosure Vulnerability Microsoft Windows CVE-2019-0959 Windows Common Log File System Driver Elevation of Privilege Vulnerability Microsoft Windows CVE-2019-0998 Windows Storage Service Elevation of Privilege Vulnerability Skype for Business and Microsoft Lync CVE-2019-1029 Skype for Business and Lync Server Denial of Service Vulnerability Team Foundation Server CVE-2019-0996 Azure DevOps Server Spoofing Vulnerability VBScript CVE-2019-1005 Scripting Engine Memory Corruption Vulnerability Windows Authentication Methods CVE-2019-1040 Windows NTLM Tampering Vulnerability Windows Hyper-V CVE-2019-0620 Windows Hyper-V Remote Code Execution Vulnerability Windows IIS CVE-2019-0941 Microsoft IIS Server Denial of Service Vulnerability Windows Installer CVE-2019-0973 Windows Installer Elevation of Privilege Vulnerability Windows Kernel CVE-2019-1044 Windows Secure Kernel Mode Security Feature Bypass Vulnerability Windows Kernel CVE-2019-1014 Win32k Elevation of Privilege Vulnerability Windows Kernel CVE-2019-1017 Win32k Elevation of Privilege Vulnerability Windows Kernel CVE-2019-1065 Windows Kernel Elevation of Privilege Vulnerability Windows Kernel CVE-2019-1041 Windows Kernel Elevation of Privilege Vulnerability Windows Kernel CVE-2019-1039 Windows Kernel Information Disclosure Vulnerability Windows Media CVE-2019-1026 Windows Audio Service Elevation of Privilege Vulnerability Windows Media CVE-2019-1007 Windows Audio Service Elevation of Privilege Vulnerability Windows Media CVE-2019-1027 Windows Audio Service Elevation of Privilege Vulnerability Windows Media CVE-2019-1022 Windows Audio Service Elevation of Privilege Vulnerability Windows Media CVE-2019-1021 Windows Audio Service Elevation of Privilege Vulnerability Windows Media CVE-2019-1028 Windows Audio Service Elevation of Privilege Vulnerability Windows NTLM CVE-2019-1019 Microsoft Windows Security Feature Bypass Vulnerability Windows Shell CVE-2019-0986 Windows User Profile Service Elevation of Privilege Vulnerability Windows Shell CVE-2019-1053 Windows Shell Elevation of Privilege Vulnerability
More vulnerability reports:
- New RCE vulnerability impacts nearly half of the internet’s email servers
- Diebold Nixdorf warns customers of RCE bug in older ATMs
- Windows 10 zero-day details published on GitHub
- Major HSM vulnerabilities impact banks, cloud providers, governments
- ‘RAMBleed’ Rowhammer attack can now steal data, not just alter it
- Remote attack flaw found in IPTV streaming service
- KRACK attack: Here’s how companies are responding CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic
Article source: https://www.zdnet.com/article/microsofts-june-2019-patch-tuesday-fixes-many-of-sandboxescapers-zero-days/#ftag=RSSbaffb68