Microsoft Patch Tuesday for June fixes 88 vulnerabilities, 21 of which are rated “Critical”, 66 “Important” and one “Moderate”. Majority of the “Critical” vulnerabilities affect the scripting engines used in Microsoft browsers which can lead to remote code execution (RCE) or information disclosure. Among the 66 “Important” vulnerabilities, four are disclosed by SandboxEscaper at the end of May who released proof-of-concepts (PoCs) code to trigger local privilege elevation. CVE-2019-1069 exploits the way Task Scheduler Service validates file operation (BearLPE PoC). CVE-2019-0973 is caused by Windows Installer’s failure to properly sanitise input leading to an insecure library loading behaviour (InstallerBypass PoC). CVE-2019-1064 is due to AppX Deployment Service (AppXSVC) improper handling of hardlinks (CVE-2019-0841-BYPASS PoC). CVE-2019-1053 exists when the Window Shells fail to validate folder shortcuts (SandboxEscape PoC). None of the disclosed vulnerabilities have been detected as being exploited in the wild. Adobe also released updates for Flash, ColdFusion, and Campaign. The Flash update fixes one critical use-after-free bug (CVE-2019-7845) that can be exploited for RCE. The ColdFusion updates address three critical RCE vulnerabilities while the Adobe Campaign patch fixes seven different vulnerabilities, with one labelled as Critical.
More Weekly Cyber Newsanalysis and insights
Enhancing your security posture, developing your cyber strategy, and designing your incident response plans.
Architecting and implementing cybersecurity solutions that bolster defences
Ensign Managed Security Services
Managing your security operations for advanced threat detection, continuous monitoring, and triage services