A total of 88 vulnerabilities were fixed in Microsoft’s June Patch Tuesday. 22 of the flaws are rated critical, and four of the fixes addressed previously announced elevation of privileges zero-days.
None of the flaws in this month’s share of updates have been exploited in the wild, or at least there are no reports of attacks.
Here are the four zero-day vulnerabilities that were disclosed before Patch Tuesday:
CVE-2019-1069 is located in Task Scheduler which enables users to automatically perform routine tasks on their machines. The flaw exploits the so-called SchRpcRegisterTask, a component in Task Scheduler which registers tasks with the server.
It appears that the component doesn’t properly check for permissions and can be exploited to set an arbitrary DACL (discretionary access control list) permission. The flaw was disclosed by security researcher SandboxEscaper.
In fact, the other three zero-days addressed in this month’s share of updates were also discovered by SandboxEscaper who published their proof-of-concept codes online.
CVE-2019-1064 is an elevation of privilege vulnerability which is triggered when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs, and view, change or delete data.
CVE-2019-1053 is an elevation of privilege bug that stems from the failure of Windows Shell validating folder shortcuts. An attacker who successfully exploited the bug could elevate privileges by escaping a sandbox. An attack would require unprivileged execution on the vulnerable system.
CVE-2019-0973 is аn elevation of privilege vulnerability that exists in the Windows Installer when it fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs, view, change, or delete data, or even create new accounts with full user rights, Microsoft explained.
What is the highest rated vulnerability in this June 2019 Patch Tuesday?
Apparently, the most dangerous bug this month is CVE-2019-0888, said Satnam Narang, senior research engineer for Tenable.
CVE-2019-0888 is a remote code execution vulnerability which is triggered by the way ActiveX Data Objects (ADO) handle objects in memory. An attacker who successfully exploited this bug could execute arbitrary code with the user’s privileges.
In addition, an attacker could use a specially crafted website to exploit the vulnerability and then convince the user to visit the particular website. The security update addresses the vulnerability by modifying how ActiveX Data Objects handle objects in memory, Microsoft noted.