Patch Tuesday Microsoft, Adobe, Intel, and SAP have all emitted their latest Patch Tuesday batch of security fixes. Users and admins are encouraged to test and install the updates as soon as humanly possible.
For those running Windows and Windows Server, you’ll be interested in as many as 88 CVE-listed flaws that need addressing in Microsoft’s products.
According to analysts at the Zero Day Initiative, a priority for admins should be a collection of four elevation-of-privilege vulnerabilities found in Windows Shell (CVE-2019-1053), Task Scheduler (CVE-2019-1069), and Windows Installer (CVE-2019-0973), and AppX Deployment Service (CVE-2019-1064).
None of the four holes are being actively exploited by hackers, according to Microsoft, though exploits are public, hence ZDI flagging them up. (SandboxEscaper has been releasing exploit code attacking Task Scheduler and other Windows components to achieve privilege elevation, and these patches shut four of those exploits down.)
There are also patches for critical remote code execution bugs in Edge and Internet Explorer, a Patch Tuesday staple. A dirty dozen of RCE holes are cleaned up in the Chakra Scripting Engine and Microsoft browser scripting engine used by Edge and IE. Each bug can be potentially abused by miscreants to execute code on a vulnerable machine simply by having the user view a poisoned webpage.
Also catching the eye of security experts is CVE-2019-0941, a denial-of-service vulnerability in Microsoft’s IIS web server that would potentially allow an attacker to knacker the service by abusing the software’s request filtering feature. Though DoS bugs are not usually considered serious flaws, the fact IIS servers face the public internet makes this programming blunder an irritating concern.
“Note that it would not take down the entire server,” explained Dustin Childs of the ZDI. “Still, if the page attacked handles a critical function – like payment processing – the exploit affects could be significant. IIS security bugs aren’t as common as they once were, but don’t let that fact delay rolling this patch out to affected servers.”
Speaking of annoying denial-of-service bugs… Google Project Zero has released a proof-of-concept security certificate that when processed by Windows will cause the code to go into an infinite loop, requiring a reboot in certain circumstances. No patch exists for it right now.
Google reported the vulnerability privately to Microsoft with a 90-day deadline to fix it. Redmond planned to release a fix this month, within Google’s time limit, then pushed the update back to July for more testing, thus missing the deadline. And so Google went full disclosure today.
“I’ve been able to construct an X.509 certificate that triggers the bug,” noted Googler Tavis Ormandy. “I’ve found that embedding the certificate in an S/MIME message, Authenticode signature, schannel connection, and so on will effectively DoS any Windows server (e.g. IPSEC, IIS, Exchange, etc) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock.”
This means it’s possible to knacker Windows-based PCs and servers by asking them to process an attacker-supplied certificate. We await Microsoft’s update next month.
Three security holes (CVE-2019-0620, CVE-2019-0709, and CVE-2019-0722) were patched in Hyper-V that, if exploited, would allow an attacker to escape their virtual machine and run malicious software on the host server.
Office was not spared this month, either. Microsoft posted fixes for two (CVE-2019-1034, CVE-2019-1035) code execution flaws in Word that would be triggered by convincing a victim to open a booby-trapped Office file.
Adobe patches Flash, ColdFusion, and Campaign
For those who haven’t yet gotten around to removing Adobe’s notoriously bug-prone Flash Player from their machines, June brings a fix for CVE-2019-7845, a use-after-free() vulnerability that can be exploited for remote code execution.
Adobe Campaign Classic, a business marketing tool, has been patched to kill off seven CVE-listed vulnerabilities. The most serious of the bugs, CVE-2019-7850, allows for code execution via command injection. Five others can lead to information disclosure, and another can be exploited to achieve arbitrary file-read access.
ColdFusion-using developers will want to make sure they have June’s update to protect against three CVE-listed vulnerabilities (CVE-2019-7838, CVE-2019-7839, CVE-2019-7840), all potentially allowing code execution.
SAP addresses HANA, Solutions Manager
For those running SAP platforms, June brings with it 11 security notes, including Note 2748699 describing an information disclosure bug in Solution Manager that could allow an attacker to create new privileged accounts and Note 2637997, a cross-site scripting flaw in BusinessObjects.
Finally, while you are updating your Adobe, Microsoft, and SAP software, it’s a good idea to check mobile devices for the latest Android security updates posted last week. ®
And finally, finally… Intel has a bunch of security fixes available from today tackling vulnerabilities ranging from denial-of-service to escalation of privilege.