Automox Patch Tuesday Breakdown: June 2019

Welcome to June's Automox Patch Tuesday Breakdown. This month's release follows a major cybersecurity advisory from the NSA, related to the legacy Windows OS “wormable” vulnerability identified in May, dubbed “BlueKeep.” You can learn more about patching for BlueKeep in our recent blog post.

For June, Microsoft has released security updates for 88 vulnerabilities, with 23 of them being rated critical. The vulnerabilities affect all of Microsoft's supported versions of Windows OS. Several other products, like Internet Explorer, Microsoft Office and Services, Microsoft Edge Browser, Microsoft Lync, Microsoft Exchange Server, ChakraCore, Azure, and Skype for Business are getting updates this month as well. Adobe and VLC have also issued security updates.

This has been one of the biggest Patch Tuesdays in a year – and not just for Microsoft. While Windows administrators and users may be tempted to put off patching, many of these updates address critical vulnerabilities that are just waiting to be exploited. BlueKeep may be a major threat, but that doesn't mean other vulnerabilities shouldn't be taken seriously.

See last month's breakdown for more on May's Patch Tuesday update.

Important Windows OS Updates

There are two critical vulnerabilities addressed this June which affect all supported versions of Windows:

These CVEs affect Microsoft's NTLM authentication protocol and could be exploited to allow remote attackers to bypass NTLM protections. From there, malicious actors can run arbitrary code on any Windows machine – or authenticate to any web server running Windows Integrated Authentication.

The June update strengthens server-side NTLM protections to resolve this issue. All Windows versions are reportedly susceptible, and these vulnerabilities present a wide attack surface for malicious actors.

For Windows 10 versions 1703, 1709, 1803, 1809 and 1903, there are three critical updates – all of which are patching remote code execution vulnerabilities:

  • CVE-2019-0620: Windows Hyper-V Remote Code Execution Vulnerability
  • CVE-2019-0722: Windows Hyper-V Remote Code Execution Vulnerability
  • CVE-2019-0888: ActiveX Data Objects (ADO) Remote Code Execution Vulnerability

Both Hyper-V vulnerabilities (CVE-2019-0620, CVE-2019-0722) are related to when a host server fails to properly validate authenticated users' information. Malicious Actors can exploit these vulnerabilities by running custom applications on a guest operating system in order to prompt the Hyper-V host operating system into running arbitrary code.

If successful, attackers would be able to execute basically any command they want on the host OS. The update corrects how Hyper-V validates user input from guest operating systems.

The ADO vulnerability (CVE-2019-0888) affects the way it handles objects in memory. Attackers could build a website designed to target this vulnerability and lure victims to their site. If exploitation is successful, attackers would then be able to run arbitrary code with the victim's user privileges.

The June update addresses this issue by modifying how ADO handles objects in memory.

Windows 8.1 and Windows 7 have the same critical vulnerabilities as Windows10.

Windows 7 also has an additional remote code execution vulnerability:

  • CVE-2019-0985: Microsoft Speech API Remote Code Execution Vulnerability

This API vulnerability is caused by an error in the handling of text-to-speech input. If exploited, hackers could corrupt memory in a way that allows them to run arbitrary code. Microsoft says, “To exploit the vulnerability, an attacker would need to convince a user to open a specially crafted document containing TTS content invoked through a scripting language.”

The update targets this vulnerability by changing how the system handles objects in memory.

More Patch Tuesday Updates

Other fixes this month include updates for Windows Server products (2008 R2, 2012 R2, 2016 and 2019) include similar patches for remote code execution vulnerabilities in Hyper-V, ADO and API.

Many other Microsoft products are getting important security updates this month as well. Internet Explorer has five critical updates and Microsoft Edge has 12 critical updates, as well.

Microsoft has also released a number of advisories:

  • ADV190016: Disables Bluetooth Low Energy FIDO security keys
  • ADV190017: Fixes HoloLens vulnerabilities
  • ADV190018: Security updates for Microsoft Exchange Server

For June, Adobe has released security updates for its Flash Player, Campaign and ColdFusion products.

Last week, maintainers of VLC Player, a popular open-source media player, patched 33 vulnerabilities – two of which were “high severity” bugs. The bugs were found thanks to the European Commission's new bug bounty program. The EU bug bounty program will be seeking vulnerabilities in many popular open-source projects, including Notepad++, FileZilla and Apache Kafka.

Automated patch management can streamline the process of deploying updates, and can help you ensure that your patches have reached every device on your network. Patch management is a crucial aspect of cybersecurity, and without a good system in place, your entire organization could be left vulnerable.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-based and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-based patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.