Critical browser flaws among scores of bugs fixed in latest Patch Tuesday

Fortunately, no vulnerabilities appear to have been exploited in the wild, says Microsoft

The June edition of Microsoft Patch Tuesday landed yesterday with patches for a cumulative total of 88 vulnerabilities, 20 of which are rated critical.

With the infosec world still fretting over the infamous BlueKeep vulnerability, which both the NSA and Microsoft say has the potential to be exploited by WannaCry-class cyber-pathogens, hard pressed sysadmins have even more to fix.

Nothing in the latest and diverse Patch Tuesday line-up is anything like as serious as BlueKeep, fortunately.

High on the ‘critical’ list is a cumulative security update for Microsoft browsers that deals with a memory corruption vulnerability (CVE-2019-1038), as well as a separate set of Chakra Scripting Engine memory corruption vulnerabilities.

All earn the dreaded ‘critical’ rating due to presenting a remote code execution (RCE) risk.

Also of note is a cumulative security update for Microsoft’s Windows Hyper-V virtualisation tech that defends against a brace of RCE risks (CVE-2019-0620) and (CVE-2019-0722).

Despite only being flagged as ‘important’, a flaw in Azure DevOps Server that gives rise to a spoofing vulnerability (CVE-2019-0996) is of particular note for software developers.

Other Microsoft technologies that need patching for lesser bugs include all supported versions of Windows, Microsoft Office, and much of its server software, as explained in Microsoft’s summary.

Allan Liska, senior solutions architect at Recorded Future, picked out an RCE vulnerability in Microsoft Word (CVE-2019-1034 and CVE-2019-1035) as a candidate for prompt triage.

“This vulnerability affects all versions of Microsoft Word on Windows and Mac as well as Office 365.

“Given that Microsoft Word documents are a favorite exploitation tool of cybercriminals, if this vulnerability is reverse engineered, it could be widely exploited,” he said.

The batch also includes a fix for a cross-site scripting (XSS) vulnerability in Microsoft Office Sharepoint (CVE-2019-1031, CVE-2019-1033, and CVE-2019-1036).

“The vulnerability exists in Sharepoint versions 2010-2019 and occurs because Sharepoint does not properly sanitize specially crafted web requests,” Liska explained.

“A successful attack would allow an attacker to potentially access sensitive files and, depending on the access level of the victim, infect other users within the organization.”

Lastly Microsoft IIS – which controls 39% of the web server market – has a denial of service vulnerability (CVE-2019-0941) in the requestFiltering feature.

It’s a lot to take in, but fortunately the SANS Institute Internet Storm Centre has produced a graphical summary of what needs fixing.

"The highest rated CVE in this month’s release is CVE-2019-0888, a vulnerability in the way ActiveX Data Objects (ADO) handles objects in memory,” said Satnam Narang, senior research engineer at Tenable.

“This could be exploited by an attacker to convince a user to visit a malicious website, resulting in arbitrary code execution as the current user.

“Also notable in this month’s release is that no vulnerabilities appear to have been exploited in the wild, according to Microsoft.”