After Adobe, the technology giant Microsoft today—on June 2019 Patch Tuesday—also released its monthly batch of software security updates for various supported versions of Windows operating systems and other Microsoft products.
This month’s security updates include patches for a total of 88 vulnerabilities, 21 are rated Critical, 66 are Important, and one is rated Moderate in severity.
The June 2019 updates include patches Windows OS, Internet Explorer, Microsoft Edge browser, Microsoft Office and Services, ChakraCore, Skype for Business, Microsoft Lync, Microsoft Exchange Server, and Azure.
Four of the security vulnerabilities, all rated important and could allow attackers to escalate privileges, patched by the tech giant this month were disclosed publicly, of which none were found exploited in the wild.
Unpatched Issue Reported by Google Researcher
However, Microsoft failed to patch a minor flaw in SymCrypt, a core cryptographic function library currently used by Windows, which on successful exploitation could allow malicious programs to interrupt (denial of service) the encryption service for other programs.
This vulnerability was reported to Microsoft by Tavis Ormandy, a Google project zero security researcher, almost 90 days ago. Ormandy today publicly released details and proof-of-concept of the flaw after finding that Microsoft doesn’t have any plan to patch the issue with this month updates.
“I’ve been able to construct an X.509 certificate that triggers the bug. I’ve found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (e.g. ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted,” Ormandy said.
“Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock.”
RCE Through NTLM Vulnerabilities (All Windows Versions Affected)
Discovered by researchers at Preempt, two important severity vulnerabilities (CVE-2019-1040 and CVE-2019-1019) affect Microsoft’s NTLM authentication protocol that could allow remote attackers to bypass NTLM protection mechanisms and re-enable NTLM Relay attacks.
These flaws originate from three logical flaws that let attackers bypass various mitigations—including Message Integrity Code (MIC), SMB Session Signing andEnhanced Protection for Authentication (EPA)—Microsoft added to prevent NTLM Relay attacks.
On successful exploitation, a man-in-the-middle attacker can “execute malicious code on any Windows machine or authenticate to any web server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS.”
The latest Microsoft Windows updates address the vulnerability by hardening NTLM MIC protection on the server-side.
Other Important Microsoft Vulnerabilities
Here below we have compiled a list of other critical and important Microsoft vulnerabilities of which you should be aware of:
1) Windows Hyper-V RCE and DoS Vulnerabilities (CVE-2019-0620, CVE-2019-0709, CVE-2019-0722) — Microsoft patches three critical remote code execution vulnerabilities in Windows Hyper-V, native virtualization software that lets administrators run multiple operating systems as virtual machines on Windows.
According to advisories, these flaws originate because the host machine fails to properly validate inputs from an authenticated user on a guest operating system.
Hyper-V RCE flaws thus allow an attacker to execute arbitrary malicious code on the host operating system just by executing a specially crafted application on a guest operating system.
Besides RCE flaws in Hyper-V, Microsoft has also released patches for three denial-of-service (DoS) vulnerabilities in Hyper-V software that could allow an attacker with a privileged account on a guest operating system to crash the host operating system.
- Microsoft Issues Software Updates for 17 Critical Vulnerabilities
- 4 New BlueKeep-like ‘Wormable’ Windows Remote Desktop Flaws Discovered
- Microsoft Releases April 2019 Security Updates — Two Flaws Under Active Attack
- Microsoft Releases Patches for 64 Flaws — Two Under Active Attack
- Microsoft October Patch Tuesday Fixes 12 Critical Vulnerabilities