Microsoft’s June Patch Tuesday announced the release of 88 vulnerability patches in this month’s security bulletin, as well as four advisories and one servicing stack update. Of the total number of updates, 21 patches were rated critical, 66 as important, and one as moderate. Four of the critical patches included in this release are fixes for the zero-days that SandboxEscaper previously disclosed, namely CVE-2019-1069, CVE-2019-1053, CVE-2019-1064, and CVE-2019-0973. The advisories include driver and software fixes for third party hardware and software flaws, including Adobe Flash Player, Azure, ChakraCore, Edge, Exchange Server, HoloLens’ Broadcomm wireless chipset, Internet Explorer, Skype for Business, Lync, Office, Office Services and Web Apps. None of the vulnerabilities have been seen exploited in the wild.
CVE-2019-1069 is a security flaw involving Windows Task Scheduler in Windows 10 and Server 2016 and above. Successfully exploiting this vulnerability provides an attacker with escalated privileges in the victim’s machine via local privilege escalation (LPE).
CVE-2019-2053 refers to a Windows Shell vulnerability that, when exploited, causes it to fail when validating folder shortcuts, enabling an attacker to elevate privileges and escape sandbox detection.
CVE-2019-1064 involves a flaw in the way Windows AppX Deployment Service (AppXSVC) handles hard links. An attacker running a customized application could exploit it to install, view, delete, or change programs and data.
CVE-2019-0973 is a security concern in Windows Installer that fails to sanitize input when exploited. An attacker can use it to elevate system privileges via the library in order to install programs; create a new account with full user rights; or view, change, or delete data in the victim’s machine.
The security advisories include firmware updates for remote code execution (RCE) flaws in Microsoft’s HoloLens device, specifically security flaws in the Broadcomm wireless chipset. Abusing CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, and CVE-2019-9503 could allow an attacker to execute commands in the system such as a denial of service (DoS) attack.
Another advisory also announced that applying this month’s patches for Feitian and Google Titan Bluetooth-based security keys causes the Bluetooth Low Energy (BLE) version of FIDO Security Keys to stop working due to a misconfiguration in pairing protocols. Abusing the bug can allow an attacker to interact with the key, enabling communication with the security key or the device where the key is paired. Users of the affected devices are advised to request for a free replacement.
The Trend Micro Deep Security and Vulnerability Protection solutions protect systems and users from threats targeting the vulnerabilities included in this month’s Patch Tuesday release via the following Deep Packet Inspection (DPI) rules:
|1009764||Microsoft Office Security Feature Bypass Vulnerability||CVE-2019-0540|
|1009769||Microsoft Windows Codecs Library Information Disclosure Vulnerability||CVE-2018-8506|
|1009778||Microsoft Windows Speech API Remote Code Execution Vulnerability||CVE-2019-0985|
|1009779||Microsoft Windows Multiple Security Vulnerabilities (June-2019)||CVE-2019-0943, CVE-2019-0984, CVE-2019-0986, CVE-2019-1017, CVE-2019-1041, CVE-2019-1053, CVE-2019-1064, CVE-2019-1069|
|1009780||Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability||CVE-2019-0988|
|1009781||Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability||CVE-2019-0920|
|1009782||Microsoft Edge Scripting Engine Information Disclosure Vulnerability||CVE-2019-0990|
|1009783||Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability||CVE-2019-0992|
|1009784||Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability||CVE-2019-0993|
|1009785||Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability||CVE-2019-0989|
|1009786||Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability||CVE-2019-0991|
|1009787||Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability||CVE-2019-1024|
|1009788||Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability||CVE-2019-1051|
|1009789||Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability||CVE-2019-1002|
|1009790||Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability||CVE-2019-1003|
|1009791||Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability||CVE-2019-1005|
|1009792||Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability||CVE-2019-1052|
|1009793||Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability||CVE-2019-1055|
|1009794||Microsoft Edge Scripting Engine Information Disclosure Vulnerability||CVE-2019-1023|
|1009796||Adobe Flash Player Out-Of-Bounds Read Vulnerability||CVE-2019-7845|
The post June’s Patch Tuesday Fixes 88 Security Flaws, Including SandboxEscaper’s Zero Days, HoloLens appeared first on .