Microsoft patched four Windows operating system bugs – all of which are already publicly known or have proof of concept exploits – as part of its June Patch Tuesday security bulletin. Each of the vulnerabilities are rated important and there are no reports of public exploitation for the flaws.
The four bugs are part of a total of 88 vulnerabilities that were patched by Microsoft this month, 21 of which are rated critical, 66 rated important and one moderate.
Raising the most concern among security experts are the four bugs that are publicly known. One of those bugs (CVE-2019-1069) is a Windows Task Scheduler vulnerability affecting Windows 10, Server 2016 and later, according to Microsoft. The flaw, Microsoft reported, could allow Elevation of Privilege on the affected system.
“Public disclosure is an indicator of increased risk,” wrote Chris Goettl, director of product management, security at Ivanti in a written analysis. “This means attackers have had early access to engineer an exploit to take advantage of these vulnerabilities.”
Goettl warned all four of the previously known bugs (CVE-2019-1069, CVE-2019-1064, CVE-2019-1053 and CVE-2019-0973) should be a patching priority for system administrators.
Another bug CVE-2019-1064 is a vulnerability in Windows, which could allow Elevation of Privilege on the affected system. Affected is Windows 10, Server 2016 and later.
The third bug (CVE-2019-1053) is a Windows Shell vulnerability that could also create Elevation of Privilege conditions on the affected system by escaping a sandbox, according to Microsoft. The flaw affects all currently supported Windows operating systems. The last of the four publicly known bugs (CVE-2019-0973) is a vulnerability in Windows Installer that could also allow Elevation of Privilege on the affected system due to improper sanitization of input from loaded libraries.
Hyper-V and Office Vulnerabilities
Security researchers are also flagging three hypervisor escape bugs in Hyper-V. Three remote code execution vulnerabilities (CVE-2019-0620, CVE-2019-0709, and CVE-2019-0722) are patched in Hyper-V that would allow an authenticated user on a guest system to run arbitrary code on the host system, noted Jimmy Graham, a director at Qualys in his Patch Tuesday commentary. “Microsoft notes that exploitation of this vulnerability is less likely, but these patches should still be prioritized for Hyper-V systems.”
Patches for two potentially serious remote code execution vulnerabilities in Microsoft Word (CVE-2019-1034 and CVE-2019-1035) are also worth prioritizing, according to commentary from Allan Liska, threat intelligence analyst at Recorded Future. This vulnerability affects all versions of Microsoft Word on Windows and Mac as well as Office 365, according to Microsoft.
“Given that Microsoft Word Documents are a favorite exploitation tool of cybercriminals, if this vulnerability is reverse engineered it could be widely exploited,” he said.
Liska said both are memory corruption vulnerabilities that require an attacker to send a specially crafted Microsoft Word document for a victim to open. He said that alternatively, an attacker could convince a victim to click on a link to website hosting a malicious Microsoft Word document.
Also affecting Office are three cross-site scripting vulnerabilities in SharePoint (CVE-2019-1031, CVE-2019-1033 and CVE-2019-1036). “[The] vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server,” Microsoft wrote of each of the CVEs. A successful exploit of either of the bugs allows an adversary to read unauthorized content, use the victim’s identity to further access a SharePoint site and change permissions, delete content or place malicious context of the user’s browser.
NTLM Relay Attack Bug
Two moderate vulnerabilities CVE-2019-1040 and CVE-2019-1019 were patched by Microsoft that allowed attackers to remotely execute malicious code on any Windows machine or authenticate to any web server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS.
According to researchers at Preempt, who discovered the flaws, the two CVEs consist of three logical flaws in NTLM, the company’s proprietary authentication protocol.
Aside from the 88 bugs patched, Microsoft released a number of advisories. Here they are as reported by Qualys:
- ADV190016 Disables the ability to use certain Bluetooth Low Energy FIDO security keys, due to a vulnerability that was disclosed in May. Google and Feitian have issued advisories for customers of these keys.
- ADV190017 fixes several vulnerabilities in HoloLens that could allow an unauthenticated attacker to DoS or compromise HoloLens devices if they are in close proximity.
- ADV190018 refers to a “Microsoft Exchange Server Defense in Depth Update,” but there are no details provided around the update as of the time of this writing.
Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.