VERT Threat Alert: June 2019 Patch Tuesday Analysis

Today’s VERT Alert addresses Microsoft’s June 2019 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-835 on Wednesday, June 12th.In-The-Wild & Disclosed CVEsCVE-2019-1053An issue where Windows Shell fails to properly validate folder shortcuts could lead to sandbox escape. The attacker would require the ability to execute code on the system to exploit this vulnerability. This appears to be the SandboxEscaper IE 11 Sandbox Escape documented by Bleeping Computer.Microsoft has rated this as a 1 (Exploitation More Likely) on the Exploitability Index.CVE-2019-1064An attacker who is logged into a system could take advantage of a flaw in the Windows AppX Deployment Service (AppXSVC) to gain control of an impacted system. This flaw exists due to AppXSVC failing to properly handle hard links. This appears to be part of the SandboxEscaper zero-day releases documented by Bleeping Computer.Microsoft has rated this as a 1 (Exploitation More Likely) on the Exploitability Index.CVE-2019-1069A file operation validation flaw in the Task Schedule Service can lead to elevated privileges on a system. This appears to be part of the SandboxEscaper zero-day releases documented by Bleeping Computer.Microsoft has rated this as a 1 (Exploitation More Likely) on the Exploitability Index.CVE-2019-0973This vulnerability allows privilege escalation because the Windows Installer can insecurely load libraries due to a failure to properly sanitize input. Successful exploitation would lead to a full compromise of the system. This appears to be part of the SandboxEscaper zero-day releases documented by Bleeping Computer.Microsoft has rated this as a 2 (Exploitation Less Likely) on the Exploitability Index.CVE Breakdown by TagWhile historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Other InformationIn addition to the Microsoft vulnerabilities included in the June Security Guidance, several advisories were released today.June 2019 Adobe Flash Update [ADV190015]Microsoft released an update for Adobe Flash. This corresponds with Adobe Update APSB19-30, which includes a fix for CVE-2019-7845.Bluetooth Low Energy Advisory [ADV190016]Microsoft has released an update to block the pairing of BLE versions of FIDO security keys due to a misconfiguration in the Bluetooth pairing protocol which could allow an attacker to communicate with the key or the pair device. Attackers would require close physical proximity to the device in order to successfully exploit this vulnerability.Microsoft HoloLens Remote Code Execution Vulnerabilities [ADV190017]Microsoft has released an update for the Microsoft HoloLens to resolve 4 vulnerabilities (CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, and CVE-2019-9503) that allow attackers with close physical proximity to the device to exploit the Broadcom wireless chipset.Microsoft Exchange Server Defense in Depth Update [ADV190018]Microsoft has released a defense in depth update for Microsoft Exchange Server. There are updates available for all versions since Microsoft Exchange Server 2010.