Microsoft’s June Patch Tuesday release covered 88 CVE, including 22 rated as critical and four that covered previously announced zero-day vulnerabilities.
The zero-day issues, all are elevation of privilege issues, were tagged as top priority patches of the month by several cybersecurity executives, although the good news is none of the zero days, or other vulnerabilities, were found to be in the wild. These are:
- CVE-2019-1069 affects Windows Task Scheduler which could affecting Windows 10, Server 2016 and later versions.
- CVE-2019-1064 is in Windows affecting Windows 10, Server 2016 and later.
- CVE-2019-1053 is a vulnerability in Windows Shell and affects all currently supported Windows operating systems.
- CVE-2019-0973 is a vulnerability in Windows Installer.
“Public Disclosure is an indicator or increased risk. Before the update was made available information about the vulnerability including possible proof of concept code has already been released to the general public. This means attackers have had early access to engineer an exploit to take advantage of these vulnerabilities,” said Chris Goettl, director of product management, Security, Ivanti
Satnam Narang, senior research engineer for Tenable, agreed the four zero day vulnerabilities required quick attention, but also called out CVE-2019-0888.
“The highest rated CVE in this month’s release is CVE-2019-0888, a vulnerability in the way ActiveX Data Objects (ADO) handles objects in memory. This could be exploited by an attacker to convince a user to visit a malicious website, resulting in arbitrary code execution as the current user,” he said.
Jimmy Graham, senior director of product management, at Qualys, pointed out three issued in Hyper-V Hypervisor Escape for attention.
“Three remote code execution vulnerabilities (CVE-2019-0620, CVE-2019-0709, and CVE-2019-0722) are patched in Hyper-V that would allow an authenticated user on a guest system to run arbitrary code on the host system. Microsoft notes that exploitation of this vulnerability is less likely, but these patches should still be prioritized for Hyper-V systems,” he said.