Microsoft patched 88 security vulnerabilities today, and also published four advisories as part of its monthly Patch Tuesday update. Quite a sizeable number of fixes!
The patches released today cover a broad range of products and services including: Microsoft Windows, Internet Explorer, Office, Office Services and Web Apps, Edge, ChakraCore, Skype for Business, Microsoft Lync, Exchange Server, Azure, and SQL Server. 21 patches were rated Critical in severity, and 66 categorised as Important, and only one is ranked Moderate.
This is quite a large number of fixes, so is important that companies work to test and roll out to ensure they are protected. Here are some of the more noteworthy bugs listed in Microsoft’s June roundup:
CVE-2019-1053 (sandboxescape) is publicly know flaw in the Windows Shell that could allow elevation of privilege on affected systems by escaping a sandbox; it affects all Windows operating systems. CVE-2019-1069 (BearLPE), an elevation of privilege vulnerability in Windows Task Scheduler, exists in the way Task Scheduler Service validates some file operations.
Other publicly known bugs include CVE-2019-0973 (InstallerBypass), which occurs when the Windows Installer fails to properly sanitise input, leading to an insecure library loading behaviour. An attacker could exploit this to run malicious code with elevated privileges. CVE-2019-1064 (CVE-2019-0841 BYPASS) could also be used to elevate privileges on target systems.
Exploits for all of these were posted on GitHub by the security researcher, who had published zero-days in the past.
When the bugs were publicly disclosed in May, researchers predicted the likelihood of danger was low.
Three Critical vulnerabilities patched were Hyper-V RCE bugs (CVE-2019-0620, CVE-2019-0709, CVE-2019-0722).
While Microsoft says exploitation is less likely, they stated that “these patches should still be prioritized for Hyper-V systems.”
Also patched today were CVE-2019-1019 – a Windows Security Feature Bypass Vulnerability, and CVE-2019-1040 – a Windows NTLM Tampering Vulnerability. Both reported by Preempt.
Greg Wiseman, senior security researcher with Rapid7, calls CVE-2019-1019 a “nasty-looking” bug that could enable an attacker to steal a session key using a specially crafted NETLOGON message;. The attacker could use this to access other systems by posing as the original user.
Researchers found that although domain controllers would deny requests if the expected machine name was different from the one that established the secure channel, the controllers would accept requests if the computer name field was missing, they explain in a blog post.
Lastly, is CVE-2019-1040. Preempt researchers bypassed the Message Integrity Code protection in NTLM authentication and could change any field in the NTLM message flow.
The bypass could let attacker relay authentication attempts which have negotiated signing to another server, while removing the signing requirement. All servers that don’t enforce signing are vulnerable.
Time to test and rollout these patches pronto!