This week, Microsoft June Patch Tuesday updates rolled out with numerous security fixes. Reportedly, Microsoft fixed 88 different security vulnerabilities affecting various products. These also include the few zero-day bugs dropped online by SandboxEscaper.
Zero-Days Fixed With Microsoft June Patch Tuesday
Microsoft has rolled out the monthly updates for this month. The Microsoft June Patch Tuesday has also addressed zero-day bugs dropped online by SandboxEscaper.
The researcher SandboxEscaper, who has a history of dropping Microsoft zero-day bugs online, published a trail of exploits in the previous month. The first of these was a zero-day affecting Windows 10 Task Scheduler. Microsoft has assigned this one a CVE number CVE-2019-1069, describing it in its advisory as,
“An elevation of privilege vulnerability exists in the way the Task Scheduler Service validates certain file operations. An attacker who successfully exploited the vulnerability could gain elevated privileges on a victim system. To exploit the vulnerability, an attacker would require unprivileged code execution on a victim system.”
Alongside this one, SandboxEscaper announced dropping three more exploits online sooner, which she later disclosed publicly after a couple of days. Microsoft has recognized them as CVE-2019-0973, CVE-2019-1053, CVE-2019-1064 respectively.
Fortunately, despite public disclosure, Microsoft confirmed no active exploits for any of the zero-days in the wild.
Other Important Security Fixes
Alongside the zero-day bugs, Microsoft also fixed tens of other vulnerabilities, making up the total number of patches to 88. Some of the important fixes address three remote code execution vulnerabilities in Hyper-V (CVE-2019-0620, CVE-2019-0709, and CVE-2019-0722), two in Microsoft Word (CVE-2019-1034 and CVE-2019-1035), and some others.
Besides, Microsoft also issues a separate security advisory for HoloLens devices firmware updates. The advisory relates to four remote code execution vulnerabilities affecting the devices.
In all, the products receiving security fixes with this month’s patch bundle include Microsoft Windows, Internet Explorer, ChakraCore, Microsoft Edge, Microsoft Exchange Server, Skype for Business and Microsoft Lync, Azure, and Microsoft Office and Microsoft Office Services and Web Apps.