Microsoft Patch Tuesday security updates for June 2019 address 88 vulnerabilities in Windows OS and other products of the tech giant (Internet Explorer, Microsoft Edge browser, Microsoft Office and Services, ChakraCore, Skype for Business, Microsoft Lync, Microsoft Exchange Server, and Azure).
21 out of 88 flaws are rated as Critical in severity, 66 as Important, and only one of them rated as Moderate in severity.
Microsoft addressed four publicly exposed privilege escalation issues rated as important. None of these vulnerabilities was exploited in attacks in the wild.
The flaws were disclosed by the researcher SandboxEscaper over the past weeks, below the list of the issue:
One of the critical vulnerabilities fixed by Microsoft is a Windows Hyper-V Remote Code Execution issue tracked as CVE-2019-0620.
“A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.” reads the security advisory.
“An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.”
Microsoft fixes a total of three critical remote code execution vulnerabilities in Windows Hyper-V (CVE-2019-0620, CVE-2019-0709, CVE-2019-0722), the Microsoft virtualization software that allows running multiple operating systems as virtual machines on Windows.
The Remote code execution flaws in the Hyper-V allow an attacker to execute arbitrary code on the host operating system just by executing a specially crafted application on a guest operating system.
Patch Tuesday security updates for June 2019 also addressed two important severity vulnerabilities, tracked as CVE-2019-1040 and CVE-2019-1019, that affect Microsoft’s NTLM authentication protocol. The flaws could be exploited by remote attackers to bypass NTLM protection
The full list of vulnerabilities addressed by Microsoft is available here.
Experts pointed out that Microsoft failed to address a flaw in SymCrypt, a core cryptographic function library currently used by Windows. The flaw could be exploited by malicious programs trigger a denial of service condition by interrupting the encryption service for other programs.
This vulnerability was found by white hat hacker Tavis Ormandy from Google Project Zero. According to the Google 90-days disclosure policy, Ormandy today publicly released details and proof-of-concept of the vulnerability.
(SecurityAffairs – Microsoft Patch Tuesday, hacking)