Patch Tuesday – June 2019

This month Microsoft patches four zero-day flaws in Windows 10 and some Bluetooth security keys stop working.

Four Zero-Days Patched

This month Microsoft issued fixes for four zero-day bugs in Windows. BearLPE (CVE-2019-1069) is a bug in the Task Scheduler component of Windows 10 and Windows Server that could allow an attacker to elevate privileges. SandboxEscape (CVE-2019-1053) is a Windows Shell elevation of privilege (EOP) bug that fails to validate folder shortcuts and could allow an attacker to elevate privileges by escaping a sandbox. CVE-2019-1064 was issued to prevent bypass of a previous EOP bug (CVE-2019-0841) in the AppX Deployment Service. Finally, InstallerBypass (CVE-2019-0973) is another EOP bug affecting Windows 10 and Windows 8, this time in the Windows Installer service when it fails to properly check input, which could allow an attacker to load an insecure library.

SandboxEscaper, the security researcher that has been revealing tons of bugs in Windows of late, also published details on a fifth zero-day called ByeBear that affects Windows 10 and Server 2019. It is another method of exploiting the AppX Deployment Service patch that Microsoft is deploying this month. As fast as Microsoft patches this exploit, SandboxEscaper finds another way around it. If Microsoft deems it serious enough, we might see this new bug patched before next month’s Patch Tuesday.

Windows 10, Windows Server 2016, and 2019

Aside from the four zero-days, Microsoft patched 11 remote code execution (RCE) bugs, three of which are rated critical. CVE-2019-0620 and CVE-2019-0722 are a Hyper-V bug that could let an attacker run arbitrary code on the host operating system by running specially designed code in a guest OS. CVE-2019-0888 is a vulnerability in the way ActiveX Data Objects (ADO) handle objects in memory and could allow an attacker to compromise a machine by convincing a user to visit a specially crafted website.

There are also 9 RCEs rated critical for Microsoft Edge and Chakra Core, all of which are either memory corruption bugs or problems with the way objects are handled in memory. Some of these vulnerabilities also affect Internet Explorer.

Windows 7 SP1 and Windows Server 2008 R2

Windows 7 gets patches for two critical RCEs. One is for CVE-2019-0888, the ActiveX Data Objects flaw described above. The second (CVE-2019-0985), is a bug in how the Microsoft Speech API (SAPI) handles text-to-speech (TTS) input. To exploit this flaw, a user would have to be convinced to open a specially crafted document with TTS content.

Additionally, a patch for CVE-2019-1019 fixes a problem where NETLOGON message might be able to get the session key and sign messages.

Microsoft Office

Office 365 Pro Plus (Click-to-Run) gets a patch for two RCEs. CVE-2019-1034 and CVE-2019-1035 are both flaws in Word that fail to properly handle objects in memory and could allow an attacker to run actions in the context of the logged in user.

All supported versions of Exchange get a patch that improves defense-in-depth security. Microsoft SharePoint Server 2010 SP2, SharePoint Enterprise Server 2013 SP1, 2016, and 2019 are all patched for the Word memory vulnerability (CVE-2019-1034) that is outlined above.

Bluetooth Low Energy Keys

After you apply the updates for this month’s Patch Tuesday, you will no longer be able to pair Feitian and Google Titan security keys containing a misconfiguration in the Bluetooth pairing protocols that could allow an attacker to interact with the key. For more information about this issue, see Microsoft’s website here. If you have an affected Google key, you can use this page to request a free replacement.

Adobe

Last but not least, Adobe fixed several RCEs flaws rated critical in Flash Player, Acrobat, and Acrobat Reader.