June 2019 Patch Tuesday: A little something for everybody
For June 2019 Patch Tuesday, Microsoft has fixed a whooping 88 CVE-numbered vulnerabilities, Adobe has plugged many critical security holes in ColdFusion and Flash Player, and Intel has released security updates and mitigations for multiple products.
Adobe’s fixes
The Flash Player updates plug one but critical code execution flaw (CVE-2019-7845).
Users of the ColdFusion web application development platform are getting patches for three critical code execution bugs and should consult the offered tech notes to apply specific security configuration settings.
Finally, users of Adobe Campaign Classic on Windows and Linux are also urged to upgrade.
Microsoft’s fixes
Microsoft has addressed 88 vulnerabilities. None are currently being exploited in the wild.
Qualys Senior Director of Product Management Jimmy Graham advises administrators to prioritize scripting engine and browser patches for workstation-type systems and urges for a quick implementation of the Hyper-V patches, which fix three remote code execution flaws.
Dustin Childs, Director of Communications for Trend Micro’s Zero Day Initiative, singled out three flaws for quick patching:
- CVE-2019-1069 – an elevation of privilege flaw in Task Scheduler that has been publicly disclosed in May.
- CVE-2019-0941 – a DoS flaw affecting Microsoft IIS Server
- CVE-2019-1053 – a vulnerability in Windows Shell that could allows for a sandbox escape and which has also been previously publicly known.
Other vulnerabilities of note include:
- Two bugs in NTLM, Microsoft’s proprietary authentication protocol, which affect all Windows versions
- Four local privilege escalation zero-day vulnerabilities disclosed by SandboxEscaper in May 2019
Finally, Microsoft also:
- Delivered the Adobe Flash Player June update
- Blocked the pairing of certain BLE security keys (Google Titan and Feitian’s keys) on Windows due to a faulty implementation of the BLE pairing protocol
- Delivered an update for Microsoft Exchange Server that provides enhanced security as a defense in depth measure (no further details have been provided)
- Fixes for four DoS and code execution flaws affecting the Microsoft HoloLens device – users need to implement the firmware update.
Intel’s fixes
Intel has released fixes, advisories and mitigation advice for a number of its products, including SGX for Linux, Intel Accelerated Storage Manager, and NUS, its line of mini PCs.
CISA has direct links to each of the advisories.