Microsoft Releases June 2019 Security Updates to Patch 88 Vulnerabilities

Posted by & filed under Security News.

After Adobe, the technology giant Microsoft today—on June 2019 Patch Tuesday—also released its monthly batch of software security updates for various supported versions of Windows operating systems and other Microsoft products.

This month’s security updates include patches for a total of 88 vulnerabilities, 21 are rated Critical, 66 are Important, and one is rated Moderate in severity.

The June 2019 updates include patches Windows OS, Internet Explorer, Microsoft Edge browser, Microsoft Office and Services, ChakraCore, Skype for Business, Microsoft Lync, Microsoft Exchange Server, and Azure.

Four of the security vulnerabilities, all rated important and could allow attackers to escalate privileges, patched by the tech giant this month were disclosed publicly, of which none were found exploited in the wild.

Unpatched Issue Reported by Google Researcher

However, Microsoft failed to patch a minor flaw in SymCrypt, a core cryptographic function library currently used by Windows, which on successful exploitation could allow malicious programs to interrupt (denial of service) the encryption service for other programs.

This vulnerability was reported to Microsoft by Tavis Ormandy, a Google project zero security researcher, almost 90 days ago. Ormandy today publicly released details and proof-of-concept of the flaw after finding that Microsoft doesn’t have any plan to patch the issue with this month updates.

“I’ve been able to construct an X.509 certificate that triggers the bug. I’ve found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (e.g. ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted,” Ormandy said.

 

“Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock.”

 

RCE Through NTLM Vulnerabilities (All Windows Versions Affected)

Discovered by researchers at Preempt, two important severity vulnerabilities (CVE-2019-1040 and CVE-2019-1019) affect Microsoft’s NTLM authentication protocol that could allow remote attackers to bypass NTLM protection mechanisms and re-enable NTLM Relay attacks.

These flaws originate from three logical flaws that let attackers bypass various mitigations—including Message Integrity Code (MIC), SMB Session Signing andEnhanced Protection for Authentication (EPA)—Microsoft added to prevent NTLM Relay attacks.

On successful exploitation, a man-in-the-middle attacker can “execute malicious code on any Windows machine or authenticate to any web server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS.”

The latest Microsoft Windows updates address the vulnerability by hardening NTLM MIC protection on the server-side.

Other Important Microsoft Vulnerabilities

Here below we have compiled a list of other critical and important Microsoft vulnerabilities of which you should be aware of:

1) Windows Hyper-V RCE and DoS Vulnerabilities (CVE-2019-0620, CVE-2019-0709, CVE-2019-0722) — Microsoft patches three critical remote code execution vulnerabilities in Windows Hyper-V, native virtualization software that lets administrators run multiple operating systems as virtual machines on Windows.

According to advisories, these flaws originate because the host machine fails to properly validate inputs from an authenticated user on a guest operating system.

Hyper-V RCE flaws thus allow an attacker to execute arbitrary malicious code on the host operating system just by executing a specially crafted application on a guest operating system.

Besides RCE flaws in Hyper-V, Microsoft has also released patches for three denial-of-service (DoS) vulnerabilities in Hyper-V software that could allow an attacker with a privileged account on a guest operating system to crash the host operating system.

Users and system administrators are highly recommended to apply the latest security patches as soon as possible to keep cybercriminals and hackers away from taking control of their computers.

For installing the latest security updates, you can head on to Settings → Update & Security → Windows Update → Check for updates on your computer, or you can install the updates manually.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.