Microsoft’s June 2019 Patch Tuesday fixes many of SandboxEscaper’s zero-days

Microsoft


Image: Microsoft

Microsoft has published today its monthly roll-up of security updates, known as Patch Tuesday. This month, the OS maker has patched 88 vulnerabilities, among which 21 received a rating of “Critical,” the company’s highest severity ranking.

Furthermore, the May 2019 Patch Tuesday also included fixes for four of the five zero-days that a security researcher and exploit seller by the name of SandboxEscaper published online over the course of the last month.

Security patches are available for:

Fixes for a fifth zero-day weren’t ready in time, as SandboxEscaper published details about this bug only last week, on Friday, June 7, leaving Microsoft no time to put together and test a patch.

The good news is that despite details and proof-of-concept demo exploit code being available for all these four zero-days, none of them were incorporated in malware campaigns.

Furthermore, of all the 88 vulnerabilities patched this month, none was exploited in the wild either.

Other important fixes

But besides patches for Windows and Office products, Microsoft also issued a security advisory about separate firmware updates for HoloLens devices.

This month, Microsoft patched four remote code execution (RCE) flaws that affect the Broadcom wireless chipset included in Microsoft HoloLens devices.

The four RCEs are CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, and CVE-2019-9503.

And since RCEs are about the worse bugs around, we’ll also highlight that Microsoft also patched nine RCEs in the Chakra Scripting Engine (included with Edge), four RCEs in the Microsoft Scripting Engine, three RCEs in the Microsoft Hyper-V hypervisor, an RCE in the Microsoft Speech API, and an RCE impacting both Edge and Internet Explorer.

Faulty BLE security keys won’t work anymore

Last, but not least, Microsoft also warned that some Bluetooth-based security keys would stop working on Windows after applying today’s patches.

More specifically, Microsoft is referring to Feitian and Google Titan security keys, which contain a misconfiguration in the Bluetooth pairing protocols that allows an attacker to interact with the key.

“Microsoft has blocked the pairing of these Bluetooth Low Energy (BLE) keys with the pairing misconfiguration,” the OS maker said.

Users of these devices are advised to look into requesting a free replacement, which both Google and Feitian are providing for free.

Additional info

Since the Microsoft Patch Tuesday is also the day when other vendors also release security patches, it’s also worth mentioning that Adobe and SAP have also published their respective security updates earlier today.

More in-depth information on today’s Patch Tuesday updates is available on Microsoft’s official Security Update Guide portal. You can also consult the table embedded below or this Patch Tuesday report generated by ZDNet.

Tag CVE ID CVE Title
Servicing Stack Updates ADV990001 Latest Servicing Stack Updates
Adobe Flash Player ADV190015 June 2019 Adobe Flash Security Update
Microsoft Devices ADV190016 Bluetooth Low Energy Advisory
Microsoft Devices ADV190017 Microsoft HoloLens Remote Code Execution Vulnerabilities
Microsoft Exchange Server ADV190018 Microsoft Exchange Server Defense in Depth Update
Kerberos CVE-2019-0972 Local Security Authority Subsystem Service Denial of Service Vulnerability
Microsoft Browsers CVE-2019-1081 Microsoft Browser Information Disclosure Vulnerability
Microsoft Browsers CVE-2019-1038 Microsoft Browser Memory Corruption Vulnerability
Microsoft Edge CVE-2019-1054 Microsoft Edge Security Feature Bypass Vulnerability
Microsoft Graphics Component CVE-2019-1018 DirectX Elevation of Privilege Vulnerability
Microsoft Graphics Component CVE-2019-1047 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1046 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1013 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1015 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1016 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1048 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-0977 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-0960 Win32k Elevation of Privilege Vulnerability
Microsoft Graphics Component CVE-2019-0968 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1049 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1050 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-0985 Microsoft Speech API Remote Code Execution Vulnerability
Microsoft Graphics Component CVE-2019-1010 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1009 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1011 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1012 Windows GDI Information Disclosure Vulnerability
Microsoft JET Database Engine CVE-2019-0905 Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine CVE-2019-0974 Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine CVE-2019-0904 Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine CVE-2019-0906 Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine CVE-2019-0908 Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine CVE-2019-0909 Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine CVE-2019-0907 Jet Database Engine Remote Code Execution Vulnerability
Microsoft Office CVE-2019-1035 Microsoft Word Remote Code Execution Vulnerability
Microsoft Office CVE-2019-1034 Microsoft Word Remote Code Execution Vulnerability
Microsoft Office SharePoint CVE-2019-1032 Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePoint CVE-2019-1036 Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePoint CVE-2019-1031 Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePoint CVE-2019-1033 Microsoft Office SharePoint XSS Vulnerability
Microsoft Scripting Engine CVE-2019-1002 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2019-0991 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2019-1080 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2019-1023 Scripting Engine Information Disclosure Vulnerability
Microsoft Scripting Engine CVE-2019-0993 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2019-0992 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2019-1024 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2019-0990 Scripting Engine Information Disclosure Vulnerability
Microsoft Scripting Engine CVE-2019-0988 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2019-0989 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2019-1055 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2019-1052 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2019-1051 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2019-0920 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2019-1003 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Windows CVE-2019-1069 Task Scheduler Elevation of Privilege Vulnerability
Microsoft Windows CVE-2019-1064 Windows Elevation of Privilege Vulnerability
Microsoft Windows CVE-2019-0888 ActiveX Data Objects (ADO) Remote Code Execution Vulnerability
Microsoft Windows CVE-2019-1025 Windows Denial of Service Vulnerability
Microsoft Windows CVE-2019-1045 Windows Network File System Elevation of Privilege Vulnerability
Microsoft Windows CVE-2019-1043 Comctl32 Remote Code Execution Vulnerability
Microsoft Windows CVE-2019-0710 Windows Hyper-V Denial of Service Vulnerability
Microsoft Windows CVE-2019-0709 Windows Hyper-V Remote Code Execution Vulnerability
Microsoft Windows CVE-2019-0722 Windows Hyper-V Remote Code Execution Vulnerability
Microsoft Windows CVE-2019-0943 Windows ALPC Elevation of Privilege Vulnerability
Microsoft Windows CVE-2019-0713 Windows Hyper-V Denial of Service Vulnerability
Microsoft Windows CVE-2019-0983 Windows Storage Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2019-0984 Windows Common Log File System Driver Elevation of Privilege Vulnerability
Microsoft Windows CVE-2019-0711 Windows Hyper-V Denial of Service Vulnerability
Microsoft Windows CVE-2019-0948 Windows Event Viewer Information Disclosure Vulnerability
Microsoft Windows CVE-2019-0959 Windows Common Log File System Driver Elevation of Privilege Vulnerability
Microsoft Windows CVE-2019-0998 Windows Storage Service Elevation of Privilege Vulnerability
Skype for Business and Microsoft Lync CVE-2019-1029 Skype for Business and Lync Server Denial of Service Vulnerability
Team Foundation Server CVE-2019-0996 Azure DevOps Server Spoofing Vulnerability
VBScript CVE-2019-1005 Scripting Engine Memory Corruption Vulnerability
Windows Authentication Methods CVE-2019-1040 Windows NTLM Tampering Vulnerability
Windows Hyper-V CVE-2019-0620 Windows Hyper-V Remote Code Execution Vulnerability
Windows IIS CVE-2019-0941 Microsoft IIS Server Denial of Service Vulnerability
Windows Installer CVE-2019-0973 Windows Installer Elevation of Privilege Vulnerability
Windows Kernel CVE-2019-1044 Windows Secure Kernel Mode Security Feature Bypass Vulnerability
Windows Kernel CVE-2019-1014 Win32k Elevation of Privilege Vulnerability
Windows Kernel CVE-2019-1017 Win32k Elevation of Privilege Vulnerability
Windows Kernel CVE-2019-1065 Windows Kernel Elevation of Privilege Vulnerability
Windows Kernel CVE-2019-1041 Windows Kernel Elevation of Privilege Vulnerability
Windows Kernel CVE-2019-1039 Windows Kernel Information Disclosure Vulnerability
Windows Media CVE-2019-1026 Windows Audio Service Elevation of Privilege Vulnerability
Windows Media CVE-2019-1007 Windows Audio Service Elevation of Privilege Vulnerability
Windows Media CVE-2019-1027 Windows Audio Service Elevation of Privilege Vulnerability
Windows Media CVE-2019-1022 Windows Audio Service Elevation of Privilege Vulnerability
Windows Media CVE-2019-1021 Windows Audio Service Elevation of Privilege Vulnerability
Windows Media CVE-2019-1028 Windows Audio Service Elevation of Privilege Vulnerability
Windows NTLM CVE-2019-1019 Microsoft Windows Security Feature Bypass Vulnerability
Windows Shell CVE-2019-0986 Windows User Profile Service Elevation of Privilege Vulnerability
Windows Shell CVE-2019-1053 Windows Shell Elevation of Privilege Vulnerability

More vulnerability reports:

Source Article from https://www.zdnet.com/article/microsofts-june-2019-patch-tuesday-fixes-many-of-sandboxescapers-zero-days/#ftag=RSSbaffb68
Microsoft’s June 2019 Patch Tuesday fixes many of SandboxEscaper’s zero-days
https://www.zdnet.com/article/microsofts-june-2019-patch-tuesday-fixes-many-of-sandboxescapers-zero-days/#ftag=RSSbaffb68
http://www.zdnet.com/blog/rss.xml
Latest blogs for ZDNet
Latest blogs for ZDNet
https://zdnet3.cbsistatic.com/fly/bundles/zdnetcore/images/logos/zdnet-144×144.png

Article written by

great guy, love the news

Please comment with your real name using good manners.

Leave a Reply

You must be logged in to post a comment.