June 2019 Patch Tuesday has seen Microsoft release 88 patches to address recently discovered vulnerabilities. 20 of the vulnerabilities have been rated critical, and 4 advisories and one servicing stack update have been released. None of the vulnerabilities are believed to have been exploited in the wild.
Included in this month’s round of updates are patches to correct four publicly disclosed vulnerabilities – those identified and publicly released by the security researcher SandboxEscaper. SandboxEscaper has identified several zero-day flaws in Windows and has developed PoC exploits. Details are usually publicly disclosed without notifying Microsoft. Some of the exploits developed by SandboxEscaper have been used in real world attacks.
The latest 4 privilege escalation exploits have been patched by Microsoft before they can be exploited. These are CVE-2019-1069, CVE-2019-0973, CVE-2019-1064, and CVE-2019-1053. All four vulnerabilities have been rated important. Three have been rated “exploitation more likely.”
The critical vulnerabilities are present in Windows, Microsoft Scripting engines, and Microsoft Browsers. If exploited they could allow remote code execution and information disclosure.
Critical Vulnerabilities
- Microsoft Browsers – Microsoft Browser Memory Corruption Vulnerability – CVE-2019-1038
- Microsoft Graphics Component – Microsoft Speech API Remote Code Execution Vulnerability – CVE-2019-0985
- Microsoft Scripting Engine – Chakra Scripting Engine Memory Corruption Vulnerabilities – CVE-2019-1002, CVE-2019-0991, CVE-2019-0992, CVE-2019-1024, CVE-2019-0989, CVE-2019-1052, CVE-2019-01051, CVE-2019-1003
- Microsoft Scripting Engine – Scripting Engine Memory Corruption Vulnerabilities – CVE-2019-0988, CVE-2019-1055, CVE-2019-0920
- Microsoft Scripting Engine – Scripting Engine Information Disclosure Vulnerabilities – CVE-2019-1023, CVE-2019-0990
- Microsoft Windows – Windows Hyper-V Remote Code Execution Vulnerabilities – CVE-2019-0722, CVE-2019-0620
- The advisories concern vulnerabilities in third party software – Adobe Flash Player (ADV190015); Microsoft Devices (ADV190016; ADV190016); and Microsoft Exchange Server (ADV190018).
This month Adobe has patched 11 vulnerabilities in Adobe ColdFusion, Flash Player, and Adobe Campaign. Three patches have been released for ColdFusion (CVE-2019-7838, CVE-2019-7839, CVE-2019-7840); one for Adobe Flash (CVE-2019-7845) and 7 for Campaign, including the critical vulnerability CVE-2019-7843.