The June 2019 Security Update Review

June has arrived and so have the scheduled security patches from Microsoft and Adobe. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for June 2019

This month, Adobe has a small release with 11 CVEs addressed in Flash Player, Adobe Campaign, and ColdFusion. The update for Flash fixes an Important-severity Use-After-Free (UAF) bug reported through the ZDI program. The update for Campaign Classic is the largest of the three with seven CVEs included. The only Critical-rated bug fixed here corrects a command injection vulnerability. The other CVEs cover information disclosure bugs and an arbitrary read access bug. Three CVEs are included in the ColdFusion patch. All address Critical-rated code execution bugs. If you are using the development platform, this should be your priority.

Microsoft Patches for June 2019

In their largest patch cycle in recent memory, Microsoft released security patches for 88 CVEs along with four advisories. The updates cover Internet Explorer, Edge, Windows, ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, Skype for Business and Microsoft Lync, Exchange Server, Azure, and SQL Server. Of these 88 CVEs, 21 are rated Critical, 66 are rated Important, and one is rated Moderate in severity. A total of 18 of these CVEs came through the ZDI program. Four of these bugs are listed as publicly known, but none are listed as under active attack at the time of release.

Let’s take a closer look at some of the more interesting patches for this month, starting with some of the publicly known bugs:

 -       CVE-2019-1069 – Task Scheduler Elevation of Privilege Vulnerability
This patch covers one of the publicly known local privilege escalations (LPE) released as a group in late May. This case allows an attacker to escalate through the Task Scheduler – an exploit path popular in the days of Windows NT and XP. The initial PoC required having a cleartext password, but as ZDI researcher Simon Zuckerbraun shows, this isn’t always the case. Bugs from this source have been used by malware in the past, so it wouldn’t surprise me to see this highly exploitable bug used in future attacks. 

-       CVE-2019-0941 – Microsoft IIS Server Denial of Service Vulnerability
This patch corrects a bug in the IIS web server that could allow an attacker to take down a page utilizing request filtering. Note that it would not take down the entire server. Still, if the page attacked handles a critical function – like payment processing – the exploit affects could be significant. IIS security bugs aren’t as common as they once were, but don’t let that fact delay rolling this patch out to affected servers.

-       CVE-2019-1053 – Windows Shell Elevation of Privilege Vulnerability
Another one of the publicly known bugs, this patch corrects a sandbox escape that occurs when the Windows Shell fails to validate folder shortcuts. Anytime someone says “shortcuts vulnerability in Windows”, it evokes memories of exploits from years past. This vulnerability seems less severe, but any reliable sandbox escape should be taken seriously.

Here’s the full list of CVEs released by Microsoft for June 2019.

The other publicly known bugs patched this month involve LPEs in the Windows Installer and the Windows AppX Deployment Service (AppXSVC).

Looking at the Critical-rated vulnerabilities patched for June, three Hyper-V Remote Code Execution (RCE) bugs definitely stand out. In each of these cases, someone on the guest OS could end up executing code on the underlying host OS. Another Critical-rated bug involves the text-to-speech (TTS) functionality of the Microsoft Speech API. While the exploit scenario itself involves a bit of social engineering, the abuse of this API for code execution is certainly fascinating. The remaining Critical-rated bugs all involve a browser component and lead to code execution should you visit a specially crafted website.

We should also note that two of the Critical-rated browser bugs are listed as information disclosure rather than RCE. These types of bugs are generally rated as Important, and it’s unclear why these would be different. Regardless, a successful exploit of either of these bugs would result in the disclosure of uninitialized memory, which could then be used for other purposes.

The June release contains a surprising number of denial-of-service (DoS) bugs being addressed. In addition to the aforementioned IIS vulnerability, DoS bugs in Hyper-V and Skype for Business get patches this month. A DoS bug in the OS could cause a system hang when connecting to a network share. Most concerning is a DoS in the LSASS service could be used to trigger an automatic reboot if the service receives a specially crafted request. One can envision a flood of these requests being quite the nuisance.

After getting 13 patches last month, the Jet Database Engine receives only seven patches for June. The Windows GDI component is the popular choice for this month, with 14 info disclosure bugs getting patches in this release.

A variety of Elevation of Privilege (EoP) bugs in various components also receive patches this month. Most notably are the ones for Windows Kernel and Windows Audio Service. The Audio Service vulnerabilities – all six of them – are slightly different than a standard EoP. Most EoPs just require an authorized user to execute specially crafted code on a target system. These bugs require a secondary exploit to be used in conjunction with the Audio Server bugs to execute code with elevated privileges. June brings a couple of patches for code execution bugs in Microsoft Word, but the majority of Office-related patches correct Cross-site Scripting (XSS) vulnerabilities in SharePoint.

Three patches in this release involve some form of Security Feature Bypass (SFB). One of these bugs involves Edge not properly recognizing Mark of the Web (MOTW) tagging on content. There’s quite a bit of Windows security technologies rely on identifying MOTW content, so it’s easy to understand why attackers would want to bypass it. The next bypass vulnerability impacts the Windows Secure Kernel Mode, as it allows attackers to violate Virtual Trust Levels (VTL). The final bypass impacts Windows authentication via NETLOGON. There are certain cases where an attacker could obtain a session key and sign messages. Should they manage this, the attacker could access a target machine using the original user privileges.

Another patch correcting an NTLM vulnerability addresses a tampering bug. In this case, the attacker would need to intercept traffic (e.g. be a man-in-the-middle) to bypass NTLM Message Integrity Check protection. A successful attack would downgrade NTLM security features. Rounding out the release is a patch for a cross-site request forgery (CSRF) bug in the Azure DevOps server. Successful exploitation of this vulnerability could bypass OAuth protections and register an application on behalf of the targeted user.

The June release includes several advisories. We’ve already mentioned the Exchange DiD update. Several CVEs are fixed by a patch for the HoloLens mixed reality headset that are related to the Broadcom wireless chipset. These four bugs could allow for code execution on the headset. ADV190016 provides a patch to fix the publicly known CVE-2019-2102, which covers a bug in the Bluetooth Low Energy (BLE) version of FIDO Security Keys. Google has issued their patch for Android, and Microsoft is using this advisory to block the pairing of these keys with the pairing misconfiguration. Microsoft Exchanged gets some defense-in-depth fixes through ADV190018, although the advisory is not clear what those enhancement may be. Finally, the remaining advisories for June should be familiar. The first is Microsoft’s version of the aforementioned patch for Flash in Internet Explorer. The other is another update to the Windows Servicing Stack, which adds updates for Windows 10 and Windows Server 2016 and 2019.

Looking Ahead

The next patch Tuesday falls on July 9, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!