The months are rolling round fast meaning its update timeagain. The June Patch Tuesday security updates include a total of 88 vulnerabilities.17 updates have been rated Critical, 65 Important, 4 vulns have been publiclydisclosed, but none have been detected as already exploited in the wild.
MS products covered by these updates are Windows OperatingSystems, Hyper-V, Azure, Microsoft Edge and Internet Explorer Browsers, Office,ChakraCore scripting engine, Skype for Business, and MS Exchange Server.
CVE-2019-0620, CVE-2019-0709 & CVE-2019-0722 focus on a critical remote code execution vulnerabilities in Microsoft’s virtual machine hypervisor, Hyper-V, that is available in its windows operating systems. A malicious application can be used on a virtual machine (guest OS) to trigger the exploit and cause code execution on the physical host OS that the guest is running on. This is due to a failure in the input validation of authenticated users on the guest virtual machine.
A memory handling vuln exists in ActiveX Data Objects (ADO) that can result in the execution of remote code, using the logged in user privileges. CVE-2019-0888 can be exploited by a malicious actor by convincing the user to access a crafted website.
Eight of the remaining critical vulns belong to the Chakracore scripting engines in Microsoft Edge and Internet Explorer browsers. Each relateto handling issues for objects in memory, that if exploited allow the sameprivileges as the current user. If the current user has admin rights, an attackerlaunching the exploit could gain complete control of the target system.
An Important spoofing vuln has been identified in the Azure DevOps server. CVE-2019-0996 results in cross site request forgery, via improper handling of application authorisation requests. An attacker can use a crafted page that convinces the user to click a malicious link and exploit this vuln. OAuth authorisation can then be bypassed to register applications in Azure DevOps.
Please review this month’s updates and get patching as soonas you can!
Keeping up to date with security patches for your operatingsystems and software, is a critical part of delivering and maintaining a strongsecurity posture, please ensure you test and update as quickly as possible to reducerisk, prevent exploitation and to ultimately stay secure.
On a final note if you somehow missed out patching the May 2019 updates, please do get patching straight away, as it is vital everyone is protected against the CVE-2019-0708 critical RDP vuln, that could be the next WannaCry.
For a full list of this month’s updates please see the linksbelow:
Patch Tuesday release notes: https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/253dc509-9a5b-e911-a98e-000d3a33c573
Security update guide: https://portal.msrc.microsoft.com/en-us/security-guidance
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Ironshare is a provider of Information and Cyber Security services.