June’s Patch Tuesday release from Microsoft consists of 89 fixes for security bugs in Windows and other Microsoft products, with 20 of them classified as critical by the software company.
Included among these most serious bugs fixed today is a remote code execution vulnerability with the tracking handle CVE-2019-0888, which was reported to Microsoft by the SophosLabs Offensive Security team.
Not to be left out with all these Microsoft patches, Adobe published an update to Flash Player to address a security vulnerability that could lead to a malware infection if left unfixed.
The number of bugs that fall under the “Elevation of Privilege” (EoP) classification is 24. An EoP bug may allow an attacker with access to a system to gain more control over it. 18 of the bugs fixed in this update could be used to deliver remote code to a browser. An additional 10 bugs affect document reader programs, such as Word or Excel, and can be potentially used to compromise a system if a user is tricked into opening a malicious document.
For the first time in a while, none of the bugs are known to have been used in the wild at the time of publishing.
It’s worth reminding readers that the availability of patches does not mean that your computer has installed them, yet. To find and download this month’s Cumulative Update patch yourself, search for the term “2019-06” at the Microsoft Update Catalog website.
Now for some words on the most notable vulnerabilities fixed in this month’s release:
ActiveX Data Objects (ADO) Remote Code Execution
The fix for another bug discovered by the SophosLabs Offensive Security Team has made its way into a Patch Tuesday release. The bug is a Use-After-Free vulnerability in the Recordset Object of ADO and is most easily triggered from VBScript.
As Microsoft writes on its technical analysis, “an attacker could craft a website that exploits the vulnerability and then convince a victim user to visit the website” Because it requires user interaction for successful exploitation, was privately disclosed, and has not been seen in the wild, we feel it’s safe (for the meantime) to deem it a low impact bug.
We have subsequently published an article describing the technical details behind the bug and its exploitation.
Hyper-V Remote Code Execution
CVE-2019-0620, CVE-2019-0709, CVE-2019-0722
Three separate bugs, categorized as Remote Code Execution and ranked Critical, have been fixed in Hyper-V, the Windows component providing support for hardware virtualization.
While the technical details of these bugs have not been disclosed by Microsoft, it’s reasonable to assume they open the possibility of performing virtual machine “escape” attacks, where code on a guest virtual machine could jump out of the virtual environment and execute in the host machine running the VM.
Virtual machines are often used to create segregated virtual environments where unsafe programs can be run without the risk of them having any effect on the host machine, so this is troubling for those who use Hyper-V for this purpose.
Windows Elevation of Privilege
CVE-2019-1053, CVE-2019-1064, CVE-2019-1069
Three of the disclosed Elevation of Privilege bugs originate from the notoriously eccentric vulnerability researcher, SandboxEscaper.
Keeping true to her M.O., she “disclosed” the aforementioned bugs by publishing 0-day exploits for them on her github page in the weeks leading up to this month’s Patch Tuesday. She then subsequently deleted the repository of PoC exploits and uploaded a directory full of pictures of polar bears, which are also at risk (though not from these vulnerabilities).
Chakra & VBScript Remote Code Execution
CVE-2019-0920, CVE-2019-0988, CVE-2019-0989, CVE-2019-0990, CVE-2019-0991, CVE-2019-0992, CVE-2019-0993, CVE-2019-1002, CVE-2019-1003, CVE-2019-1005, CVE-2019-1023, CVE-2019-1024, CVE-2019-1051, CVE-2019-1052, CVE-2019-1055
You’d think that, at a certain point, the obsolete, dormant project that is the VBScript engine would run out of security bugs after weekly bug discoveries and fixes for years on end, but it’s June, 2019 and the VBScript bug body count for this month is three.
It’s worth reiterating that VBScript is only supported by the (now deprecated) Internet Explorer browser–and even then, it’s blocked for Internet sites by default.
Sophos has released following detection to address the vulnerabilities mentioned above. Please note that additional vulnerabilities and corresponding detection may be released in the future.
N/V = Not Validated. The PoC code provided with MAPP advisories does not include active exploits and as such is not applicable to Intercept X testing. The IX ability to block the exploit depends on actual exploit weaponization approach which we won’t see until it’s spotted in the wild. The SAV and IPS detections developed for the PoCs do not guarantee interception of in-the-wild attacks
Additional IPS Signatures
How long does it take to have Sophos detection in place?
We aim to add detection to critical issues based on the type and nature of the vulnerabilities as soon as possible. Please note that some detection might not be available due to the availability of the data.
It is mostly not possible to test with Intercept-X due to the nature of the data we receive.
What if the vulnerability/0-day you look for is not covered above?
The most likely reason for this is we did not receive enough information about the vulnerability to create detection.