Patch Tuesday Commentary

Yesterday, Microsoft published its monthly roll-up of security updates, known as Patch Tuesday. This month, the OS maker has patched 88 vulnerabilities, among which 21 received a rating of “Critical,” the company’s highest severity ranking. 

Experts Comments: 

Satnam Narang, Senior Research Engineer at Tenable: 

“This month’s Patch Tuesday release contains updates for nearly 90 CVEs, including fixes for four zero-day elevation of privilege vulnerabilities: “bearlpe,” “InstallerBypass,” “CVE-2019-0841-BYPASS,” and “sandboxescape,” that werepublicly disclosed by SandboxEscaper in late May.   

“CVE-2019-1069, the “bearlpe” flaw, is an elevation of privilege vulnerability in the way the Task Scheduler Service validates file operations.   

“CVE-2019-0973, “InstallerBypass,” is an elevation of privilege vulnerability in the Windows Installer due to insufficient sanitization of inputs.   

“CVE-2019-1064, “CVE-2019-0841-BYPASS,” is an elevation of privilege vulnerability that affects how Windows AppX Deployment Service (AppXSVC) handles hard links. As noted in the name, this is a bypass of a previously reported and patched vulnerability, CVE-2019-0841.   

“CVE-2019-1053, dubbed “sandboxescape,” is an elevation of privilege vulnerability in Windows Shell which impacts how it  validates folder shortcuts.   

“The highest rated CVE in this month’s release is CVE-2019-0888, a vulnerability in the way ActiveX Data Objects (ADO) handles objects in memory. This could be exploited by an attacker to convince a user to visit a malicious website, resulting in arbitrary code execution as the current user.   

“Also notable in this month’s release is that no vulnerabilities appear to have been exploited in the wild, according to Microsoft.”  

Allan Liska, Senior Solutions Architect at Recorded Future:  

“Microsoft released a number of patches today for a variety of systems including, the Windows JET Database Engine, Internet Explorer, Microsoft Exchange, Azure and Microsoft Office.  

The Microsoft JET Database Engine has a Critical Remote Code Execution Vulnerability (CVE-2019-0904 – CVE 2019-0909). The vulnerability resides in the way that the JET Database Engine handles objects in memory. An attacker could send over a specially crafted .jet file that a victim would have to open. Interestingly, despite the fact that there have been eight critical vulnerabilities in the JET Database engine over the last two years, Recorded Future has not seen evidence of cybercriminals successfully exploiting these vulnerabilities.  

There is a potentially very serious Remote Code Execution vulnerability in Microsoft Word (CVE-2019-1034 & CVE-2019-1035). This is another memory corruption vulnerability that requires an attacker to send a specially crafted Microsoft Word document for a victim to open, alternatively an attacker could convince a victim to click on a link to website hosting a malicious Microsoft Word document. This vulnerability affects all versions of Microsoft Word on Windows and Mac as well as Office 365. Given that Microsoft Word Documents are a favorite exploitation tool of cybercriminals, if this vulnerability is reverse engineered it could be widely exploited.

There is also a Cross Site Scripting (XSS) vulnerability in Microsoft Office Sharepoint (CVE-2019-1031 – CVE-2019-1033 and CVE-2019-1036). The vulnerability exists in Sharepoint versions 2010 – 2019 and occurs because Sharepoint does not properly sanitize specially crafted web requests. A successful attack would allow an attacker to potentially access sensitive files and, depending on the access level of the victim, infect other users within the organization. 
Microsoft IIS, which as of May 2019 controls 39% of the web server market, has a denial of service vulnerability. CVE-2019-0941 is a vulnerability in the requestFiltering feature.  An attacker can exploit this vulnerability by sending a specially formatted packet design to take advantage of a flaw in the way requestFiltering handles requests. Successfully exploiting this vulnerability will result in the web site (or specific pages, depending on how requestFiltering is configured) to be temporarily unavailable.”