Microsoft patches 22 critical flaws, four zero days on June Patch Tuesday
Microsoft’s June Patch Tuesday release covered 88 CVE,
including 22 rated as critical and four that covered previously announced zero-day
vulnerabilities.
The zero-day issues, all are elevation of privilege issues,
were tagged as top priority patches of the month by several cybersecurity
executives, although the good news is none of the zero days, or other vulnerabilities,
were found to be in the wild. These are:
- CVE-2019-1069 affects Windows Task Scheduler
which could affecting Windows 10, Server 2016 and later versions. - CVE-2019-1064 is in Windows affecting Windows
10, Server 2016 and later. - CVE-2019-1053 is a vulnerability in Windows
Shell and affects all currently supported Windows operating systems. - CVE-2019-0973 is a vulnerability in Windows
Installer.
“Public Disclosure is an indicator or increased risk. Before
the update was made available information about the vulnerability including
possible proof of concept code has already been released to the general public.
This means attackers have had early access to engineer an exploit to take
advantage of these vulnerabilities,” said Chris Goettl, director of product
management, Security, Ivanti
Satnam Narang, senior
research engineer for Tenable, agreed the four zero day vulnerabilities
required quick attention, but also called out CVE-2019-0888.
“The highest rated CVE in this month’s release is
CVE-2019-0888, a vulnerability in the way ActiveX Data Objects (ADO) handles
objects in memory. This could be exploited by an attacker to convince a user to
visit a malicious website, resulting in arbitrary code execution as the current
user,” he said.
Jimmy Graham, senior director of product management, at
Qualys, pointed out three issued in Hyper-V Hypervisor Escape for attention.
“Three remote code execution vulnerabilities (CVE-2019-0620,
CVE-2019-0709, and CVE-2019-0722) are patched in Hyper-V that would allow an
authenticated user on a guest system to run arbitrary code on the host system.
Microsoft notes that exploitation of this vulnerability is less likely, but
these patches should still be prioritized for Hyper-V systems,” he said.
Gloss