bug-bounty-google
Threat Research

Patch Tuesday squashes 89 bugs-including a SophosLabs find

No bugs known to be exploited in the wild, but plenty of serious flaws that need updates

June’s Patch Tuesday release from Microsoft consists of 89 fixes for security bugs in Windows and other Microsoft products, with 20 of them classified as critical by the software company.

Included among these most serious bugs fixed today is a remote code execution vulnerability with the tracking handle CVE-2019-0888, which was reported to Microsoft by the SophosLabs Offensive Security team.

Not to be left out with all these Microsoft patches, Adobe published an update to Flash Player to address a security vulnerability that could lead to a malware infection if left unfixed.

The number of bugs that fall under the “Elevation of Privilege” (EoP) classification is 24. An EoP bug may allow an attacker with access to a system to gain more control over it. 18 of the bugs fixed in this update could be used to deliver remote code to a browser. An additional 10 bugs affect document reader programs, such as Word or Excel, and can be potentially used to compromise a system if a user is tricked into opening a malicious document.

For the first time in a while, none of the bugs are known to have been used in the wild at the time of publishing.

It’s worth reminding readers that the availability of patches does not mean that your computer has installed them, yet. To find and download this month’s Cumulative Update patch yourself, search for the term “2019-06” at the Microsoft Update Catalog website.

Now for some words on the most notable vulnerabilities fixed in this month’s release:

ActiveX Data Objects (ADO) Remote Code Execution

CVE-2019-0888

The fix for another bug discovered by the SophosLabs Offensive Security Team has made its way into a Patch Tuesday release. The bug is a Use-After-Free vulnerability in the Recordset Object of ADO and is most easily triggered from VBScript.

As Microsoft writes on its technical analysis, “an attacker could craft a website that exploits the vulnerability and then convince a victim user to visit the website” Because it requires user interaction for successful exploitation, was privately disclosed, and has not been seen in the wild, we feel it’s safe (for the meantime) to deem it a low impact bug.

We have subsequently published an article describing the technical details behind the bug and its exploitation.

Hyper-V Remote Code Execution

CVE-2019-0620, CVE-2019-0709, CVE-2019-0722

Three separate bugs, categorized as Remote Code Execution and ranked Critical, have been fixed in Hyper-V, the Windows component providing support for hardware virtualization.

While the technical details of these bugs have not been disclosed by Microsoft, it’s reasonable to assume they open the possibility of performing virtual machine “escape” attacks, where code on a guest virtual machine could jump out of the virtual environment and execute in the host machine running the VM.

Virtual machines are often used to create segregated virtual environments where unsafe programs can be run without the risk of them having any effect on the host machine, so this is troubling for those who use Hyper-V for this purpose.

Hey there, little guy!

Windows Elevation of Privilege

CVE-2019-1053, CVE-2019-1064, CVE-2019-1069

Three of the disclosed Elevation of Privilege bugs originate from the notoriously eccentric vulnerability researcher, SandboxEscaper.

Keeping true to her M.O., she “disclosed” the aforementioned bugs by publishing 0-day exploits for them on her github page in the weeks leading up to this month’s Patch Tuesday. She then subsequently deleted the repository of PoC exploits and uploaded a directory full of pictures of polar bears, which are also at risk (though not from these vulnerabilities).

Chakra & VBScript Remote Code Execution

CVE-2019-0920, CVE-2019-0988, CVE-2019-0989, CVE-2019-0990, CVE-2019-0991, CVE-2019-0992, CVE-2019-0993, CVE-2019-1002, CVE-2019-1003, CVE-2019-1005, CVE-2019-1023, CVE-2019-1024, CVE-2019-1051, CVE-2019-1052, CVE-2019-1055

You’d think that, at a certain point, the obsolete, dormant project that is the VBScript engine would run out of security bugs after weekly bug discoveries and fixes for years on end, but it’s June, 2019 and the VBScript bug body count for this month is three.

It’s worth reiterating that VBScript is only supported by the (now deprecated) Internet Explorer browser–and even then, it’s blocked for Internet sites by default.

Another gift that gives on giving users a reason to update is the Edge browser (and its Chakra JavaScript engine), with 12 new Remote Code Execution bugs.

Sophos coverage

Sophos has released following detection to address the vulnerabilities mentioned above.   Please note that additional vulnerabilities and corresponding detection may be released in the future.

CVE SAV IPS Intercept-X
CVE-2019-1041 Exp/20191041-A N/V N/V
CVE-2019-1053 Exp/20191053-A N/V N/V
CVE-2019-1064 Exp/20191064-A N/V N/V
CVE-2019-1069 Troj/PrivEsc-E N/V N/V

N/V = Not Validated. The PoC code provided with MAPP advisories does not include active exploits and as such is not applicable to Intercept X testing. The IX ability to block the exploit depends on actual exploit weaponization approach which we won’t see until it’s spotted in the wild. The SAV and IPS detections developed for the PoCs do not guarantee interception of in-the-wild attacks

Additional IPS Signatures

 

Microsoft

CVE

SID

CVE-2019-1003 9000969
CVE-2019-1005 9000970
CVE-2019-1024 9000971
CVE-2019-1051 9000972
CVE-2019-1052 9000973
CVE-2019-1055 9000974
CVE-2019-7788 2201204
CVE-2019-1002 2201239
CVE-2019-0991 2201238
CVE-2019-0992 2201238
CVE-2019-0993 2201238
CVE-2019-0990 2201237
CVE-2019-0989 2201236
CVE-2019-0988 2201235
CVE-2019-0985 2201234
CVE-2019-0920 2201233

Adobe

CVE Sid
CVE-2019-7845 9000975

 

How long does it take to have Sophos detection in place?

We aim to add detection to critical issues based on the type and nature of the vulnerabilities as soon as possible. Please note that some detection might not be available due to the availability of the data.

It is mostly not possible to test with Intercept-X due to the nature of the data we receive.

What if the vulnerability/0-day you look for is not covered above?

The most likely reason for this is we did not receive enough information about the vulnerability to create detection.