June Patch Bulletin

June Patch Bulletin

This month there are 89 unique CVE’s, 4 publicly disclosed vulnerabilities, 9 technologies affected, and no reported attacks. All 4 of the publicly disclosed vulnerabilities (CVE-2019-1053CVE-2019-1064CVE-2019-1069CVE-2019-0973) are privilege escalation vulnerabilities affecting Windows.

  • CVE-2019-1053 An elevation of privilege vulnerability exists when the Windows Shell fails to validate folder shortcuts. An attacker who successfully exploited the vulnerability could elevate privileges by escaping a sandbox. To exploit this vulnerability, an attacker would require unprivileged execution on the victim system. The security update addresses the vulnerability by correctly validating folder shortcuts.
  • CVE-2019-1064 An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows AppX Deployment Service handles hard links
  • CVE-2019-1069 An elevation of privilege vulnerability exists in the way the Task Scheduler Service validates certain file operations. An attacker who successfully exploited the vulnerability could gain elevated privileges on a victim system. To exploit the vulnerability, an attacker would require unprivileged code execution on a victim system. The security update addresses the vulnerability by correctly validating file operations.
  • CVE-2019-0973 An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation.

For additional details, please find the information from Microsoft below:

Technology Products Affected SeverityReferenceWorkaround/Exploited/ Publicly Disclosed Vulnerability Info
AdobeFlash Player 32.0.0.192 and earlierCriticalCVE-2019-7845Workaround: No
Exploited: No
Public: No
Arbitrary Code Execution
Windows Windows 7, 8.1, 8.1 RT, 10
Server 2008/2008 R2
Sever 2012, 2012 R2
Server 2016
Server 2019
Critical CVE-2019-0713
CVE-2019-0722
CVE-2019-0888
CVE-2019-0904
CVE-2019-1025
CVE-2019-1026
CVE-2019-1027
CVE-2019-1028
CVE-2019-1039
CVE-2019-0620
CVE-2019-0709
CVE-2019-0710
CVE-2019-0711
CVE-2019-1019
CVE-2019-1021
CVE-2019-1022
CVE-2019-0905
CVE-2019-0906
CVE-2019-0895
CVE-2019-1040
CVE-2019-1041
CVE-2019-1043
CVE-2019-0907
CVE-2019-0908
CVE-2019-1044
CVE-2019-1045
CVE-2019-1046
CVE-2019-1047
CVE-2019-0909
CVE-2019-0941
CVE-2019-1048
CVE-2019-1049
CVE-2019-1050
CVE-2019-1053
CVE-2019-0943
CVE-2019-0948
CVE-2019-0959
CVE-2019-1064
CVE-2019-1065
CVE-2019-1069
CVE-2019-0960
CVE-2019-0968
CVE-2019-0972
CVE-2019-0973
CVE-2019-0974
CVE-2019-0977
CVE-2019-0983
CVE-2019-0984
CVE-2019-0985
CVE-2019-0986
CVE-2019-0998
CVE-2019-1007
CVE-2019-1009
CVE-2019-1010
CVE-2019-1011
CVE-2019-1012
CVE-2019-1013
CVE-2019-1014
CVE-2019-1015
CVE-2019-1016
CVE-2019-1017
CVE-2019-1018
Workaround: No
Exploited: No
Public: Yes
Information Disclosure
Elevation of Privilege
Remote Code Execution
Security Feature Bypass
Denial of Service
Tampering
Internet ExplorerIE 9,10,11 CriticalCVE-2019-0920
CVE-2019-0988
CVE-2019-1005
CVE-2019-1038
CVE-2019-1055
CVE-2019-1080
CVE-2019-1081
Workaround: No
Exploited: No
Public: No
Remote Code Execution
Information Disclosure
EdgeEdgeCriticalCVE-2019-1002
CVE-2019-1003
CVE-2019-1023
CVE-2019-1024
CVE-2019-1038
CVE-2019-1051
CVE-2019-0989
CVE-2019-0990
CVE-2019-0991
CVE-2019-0992
CVE-2019-0993
CVE-2019-1052
CVE-2019-1054
CVE-2019-1081
Workaround: No
Exploited: No
Public: No
Remote Code Execution
Information Disclosure
Security Feature Bypass
Office, Office Services, and Web AppsLync Server 2010, 2013
Office 2010, 2016 for Mac, 2019, 2019 for Mac
Web Apps 2010
Project Server 2010
SharePoint Enterprise 2013, 2016
SharePoint Foundation 2010, 2013
SharePoint Server 2010, 2019
Word 2010, 2013, 2016
Office 365
ImportantCVE-2019-1029
CVE-2019-1031
CVE-2019-1032
CVE-2019-1033
CVE-2019-1034
CVE-2019-1035
CVE-2019-1036
Workaround: No
Exploited: No
Public: No
Denial of Service
Remote Code Execution
Spoofing
ChakraCoreChakraCoreCriticalCVE-2019-0989
CVE-2019-0990
CVE-2019-0991
CVE-2019-0993
CVE-2019-1003
CVE-2019-1023
CVE-2019-1024
CVE-2019-1051
CVE-2019-1052
Workaround: No
Exploited: No
Public: No
Remote Code Execution
Information Disclosure
Skype for Business and LyncLync ServerImportantCVE-2019-1029Workaround: No
Exploited: No
Public: Yes
Denial of Service
ExchangeServer 2010, 2013, 2016, 2019
NoneADV190018Enhanced Security
AzureDevOps Server 2019
ImportantCVE-2019-0996Workaround: No
Exploited: No
Public: No
Spoofing

In case of any questions or clarifications please feel free to reach out to ECHO’s Service Desk.