[SingCERT] Microsoft June 2019 Patch Tuesday

Published on Wednesday, 12 June 2019 18:00

Background

Microsoft has announced the release of 88 security patches to address vulnerabilities affecting its operating system and other products.

The following vulnerabilities were rated critical and require immediate attention:
   
• CVE-2019-0620, CVE-2019-0709, CVE-2019-0722 - These vulnerabilities exist when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. Successful exploitation of the vulnerabilities could allow an attacker to execute arbitrary code on the host operating system.

• CVE-2019-0985 - This vulnerability exists when the Microsoft Speech Application Programming Interface (SAPI) improperly handles text-to-speech (TTS) input. Successful exploitation of the vulnerability could corrupt memory and allow an attacker to execute arbitrary code in the context of the current user.

• CVE-2019-0990, CVE-2019-1023 - These vulnerabilities exist when the scripting engine does not properly handle objects in memory in Microsoft Edge. Successful exploitation of the vulnerabilities could allow an attacker to obtain information to further compromise the user’s system.

• ADV190015 - This vulnerability exists due to a use-after-free error when processing Small Web Format (.swf) files in Adobe Flash Player. Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code in the context of the current user.

• CVE-2019-0989, CVE-2019-0991, CVE-2019-0992, CVE-2019-1002, CVE-2019-1003, CVE-2019-1024, CVE-2019-1051, CVE-2019-1052 - These vulnerabilities exist in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. Successful exploitation of the vulnerabilities could corrupt memory and allow an attacker to execute arbitrary code in the context of the current user.

• CVE-2019-1038 - This vulnerability exists in the way that Microsoft browsers access objects in memory. Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code in the context of the current user.

• CVE-2019-0988 - This vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. Successful exploitation of the vulnerability could corrupt memory and allow an attacker to execute arbitrary code in the context of the current user.

• CVE-2019-0920, CVE-2019-1055 - These vulnerabilities exist in the way that the scripting engine handles objects in memory in Microsoft browsers. Successful exploitation of the vulnerabilities could corrupt memory and allow an attacker to execute arbitrary code in the context of the current user.

• CVE-2019-0888 - This vulnerability exists in the way that ActiveX Data Objects (ADO) handle objects in memory. Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code with the victim user’s privileges.

For the full list of security updates released by Microsoft, please visit https://portal.msrc.microsoft.com/en-us/security-guidance.

Affected Products

The security release contains updates for the following:

• Adobe Flash Player
• Azure
• ChakraCore
• Internet Explorer
• Microsoft Edge
• Microsoft Exchange Server
• Microsoft Office and Microsoft Office Services and Web Apps
• Microsoft Windows
• Skype for Business and Microsoft Lync

Impact

Successful exploitation of these critical vulnerabilities could allow attackers to perform remote code execution and take control of the affected systems to perform malicious activities, including unauthorised installation of programs, creating rogue administrator accounts and viewing, changing, or deleting data.

Recommendation

Users and system administrators of affected products are advised to apply the security updates immediately.

References