Microsoft’s June Patch Tuesday release covered 88 CVE, including 22 rated as critical and four that covered previously announced zero-day vulnerabilities.
The zero-day issues, all are elevation of privilege issues, were tagged as top priority patches of the month by several cybersecurity executives, although the good news is none of the zero days, or other vulnerabilities, were found to be in the wild. These are:
“Public Disclosure is an indicator or increased risk. Before the update was made available information about the vulnerability including possible proof of concept code has already been released to the general public. This means attackers have had early access to engineer an exploit to take advantage of these vulnerabilities,” said Chris Goettl, director of product management, Security, Ivanti
Satnam Narang, senior research engineer for Tenable, agreed the four zero day vulnerabilities required quick attention, but also called out CVE-2019-0888.
“The highest rated CVE in this month’s release is CVE-2019-0888, a vulnerability in the way ActiveX Data Objects (ADO) handles objects in memory. This could be exploited by an attacker to convince a user to visit a malicious website, resulting in arbitrary code execution as the current user,” he said.
Jimmy Graham, senior director of product management, at Qualys, pointed out three issued in Hyper-V Hypervisor Escape for attention.
“Three remote code execution vulnerabilities (CVE-2019-0620, CVE-2019-0709, and CVE-2019-0722) are patched in Hyper-V that would allow an authenticated user on a guest system to run arbitrary code on the host system. Microsoft notes that exploitation of this vulnerability is less likely, but these patches should still be prioritized for Hyper-V systems,” he said.