Today’s VERT Alert addresses Microsoft’s June 2019 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-835 on Wednesday, June 12th.
In-The-Wild & Disclosed CVEs
CVE-2019-1053
An issue where Windows Shell fails to properly validate folder shortcuts could lead to sandbox escape. The attacker would require the ability to execute code on the system to exploit this vulnerability. This appears to be the SandboxEscaper IE 11 Sandbox Escape documented by Bleeping Computer. Microsoft has rated this as a 1 (Exploitation More Likely) on the Exploitability Index.
CVE-2019-1064
An attacker who is logged into a system could take advantage of a flaw in the Windows AppX Deployment Service (AppXSVC) to gain control of an impacted system. This flaw exists due to AppXSVC failing to properly handle hard links. This appears to be part of the SandboxEscaper zero-day releases documented by Bleeping Computer. Microsoft has rated this as a 1 (Exploitation More Likely) on the Exploitability Index.
CVE-2019-1069
A file operation validation flaw in the Task Schedule Service can lead to elevated privileges on a system. This appears to be part of the SandboxEscaper zero-day releases documented by Bleeping Computer. Microsoft has rated this as a 1 (Exploitation More Likely) on the Exploitability Index.
CVE-2019-0973
This vulnerability allows privilege escalation because the Windows Installer can insecurely load libraries due to a failure to properly sanitize input. Successful exploitation would lead to a full compromise of the system. This appears to be part of the SandboxEscaper zero-day releases documented by Bleeping Computer. Microsoft has rated this as a 2 (Exploitation Less Likely) on the Exploitability Index.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis.
Tag |
CVE Count |
CVEs |
Team Foundation Server |
1 |
CVE-2019-0996 |
Windows NTLM |
1 |
CVE-2019-1019 |
Windows Hyper-V |
1 |
CVE-2019-0620 |
Microsoft JET Database Engine |
7 |
CVE-2019-0904, CVE-2019-0905, CVE-2019-0906, CVE-2019-0907, CVE-2019-0908, CVE-2019-0909, CVE-2019-0974 |
VBScript |
1 |
CVE-2019-1005 |
Microsoft Windows |
17 |
CVE-2019-0888, CVE-2019-0943, CVE-2019-0948, CVE-2019-0959, CVE-2019-0984, CVE-2019-0709, CVE-2019-0710, CVE-2019-0711, CVE-2019-0713, CVE-2019-0722, CVE-2019-0983, CVE-2019-0998, CVE-2019-1025, CVE-2019-1043, CVE-2019-1045, CVE-2019-1064, CVE-2019-1069 |
Kerberos |
1 |
CVE-2019-0972 |
Microsoft Edge |
1 |
CVE-2019-1054 |
Microsoft Graphics Component |
17 |
CVE-2019-1009, CVE-2019-1010, CVE-2019-1011, CVE-2019-1012, CVE-2019-1013, CVE-2019-1015, CVE-2019-1016, CVE-2019-1018, CVE-2019-1046, CVE-2019-1047, CVE-2019-1048, CVE-2019-1049, CVE-2019-1050, CVE-2019-0960, CVE-2019-0968, CVE-2019-0977, CVE-2019-0985 |
Microsoft Browsers |
2 |
CVE-2019-1038, CVE-2019-1081 |
Windows IIS |
1 |
CVE-2019-0941 |
Windows Installer |
1 |
CVE-2019-0973 |
Windows Kernel |
6 |
CVE-2019-1014, CVE-2019-1017, CVE-2019-1039, CVE-2019-1041, CVE-2019-1044, CVE-2019-1065 |
Windows Media |
6 |
CVE-2019-1007, CVE-2019-1021, CVE-2019-1022, CVE-2019-1026, CVE-2019-1027, CVE-2019-1028 |
Windows Authentication Methods |
1 |
CVE-2019-1040 |
Skype for Business and Microsoft Lync |
1 |
CVE-2019-1029 |
Windows Shell |
2 |
CVE-2019-0986, CVE-2019-1053 |
Microsoft Office |
2 |
CVE-2019-1034, CVE-2019-1035 |
Microsoft Scripting Engine |
15 |
CVE-2019-0988, CVE-2019-0989, CVE-2019-1055, CVE-2019-0920, CVE-2019-0990, CVE-2019-0991, CVE-2019-0992, CVE-2019-0993, CVE-2019-1002, CVE-2019-1003, CVE-2019-1023, CVE-2019-1024, CVE-2019-1051, CVE-2019-1052, CVE-2019-1080 |
Microsoft Office SharePoint |
4 |
CVE-2019-1036, CVE-2019-1031, CVE-2019-1032, CVE-2019-1033 |
Other Information
In addition to the Microsoft vulnerabilities included in the June Security Guidance, several advisories were released today.
June 2019 Adobe Flash Update [ADV190015]
Microsoft released an update for Adobe Flash. This corresponds with Adobe Update APSB19-30, which includes a fix for CVE-2019-7845.
Bluetooth Low Energy Advisory [ADV190016]
Microsoft has released an update to block the pairing of BLE versions of FIDO security keys due to a misconfiguration in the Bluetooth pairing protocol which could allow an attacker to communicate with the key or the pair device. Attackers would require close physical proximity to the device in order to successfully exploit this vulnerability.
Microsoft HoloLens Remote Code Execution Vulnerabilities [ADV190017]
Microsoft has released an update for the Microsoft HoloLens to resolve 4 vulnerabilities (CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, and CVE-2019-9503) that allow attackers with close physical proximity to the device to exploit the Broadcom wireless chipset.
Microsoft Exchange Server Defense in Depth Update [ADV190018]
Microsoft has released a defense in depth update for Microsoft Exchange Server. There are updates available for all versions since Microsoft Exchange Server 2010.