Microsoft's latest Patch Tuesday takes aim at SandboxEscaper zero-days

Microsoft’s June Patch Tuesday fixes 88 flaws in total

GET YOUR PATCHING SHOES on as Microsoft has released the latest round of ‘Patch Tuesday’ updates for Windows 10, fixing four zero-days and 21 critical flaws.

In total, 88 vulnerabilities are patched in the latest release, of which 66 are rated as “important”.

According to Microsoft, none of the publically disclosed zero-days, or other vulnerabilities, were found to be publically exploited in the wild. The company has advised all users to install the security updates immediately to protect Windows from these security risks.

The four publicly disclosed vulnerabilities patched in the security update appear to be those posted by SandboxEscaper to her GitHub page last month.

These vulnerabilities are:

  • CVE-2019-1069: The bug, which affects Windows Task Scheduler in Windows 10, Server 2016 and later versions, has raised the most concern among security experts. It could allow elevation of privilege on affected systems, according to Microsoft.
  • CVE-2019-1064: Windows elevation of privilege vulnerability affecting Windows 10, Server 2016 and later.
  • CVE-2019-1053: Windows Shell elevation of privilege vulnerability affects all currently supported Windows operating systems. It could create elevation of privilege conditions on affected systems by escaping a sandbox.
  • CVE-2019-0973: Windows Installer vulnerability could enable elevation of privilege on the affected systems through wrong sanitisation of input from loaded libraries.

Microsoft said that two bugs, CVE-2019-1019 and CVE-2019-1040, patched in the latest update could enable attackers to remotely run malicious code on any Windows machine. They could also enable hackers to authenticate to any web server supporting Windows Integrated Authentication.

In addition to the security updates, Microsoft has also released servicing stack update ADV990001 and four advisories. These include updated drivers and software to fix security flaws in third-party software and hardware.

In one advisory, Microsoft explained that it was blocking some selected Bluetooth Low Energy (BLE) FIDO security keys with known pairing vulnerability. The pairing of certain weak BLE security keys will be blocked at the OS level.

The vulnerability in the BLE pairing protocol was unearthed earlier this year by Microsoft security researchers.

The Broadcom wireless network driver has also been updated to fix multiple vulnerabilities, according to Microsoft. µ

Further reading

Source link