Skip to content
Naked Security Naked Security

Critical Adobe Flash player bug and more in June’s Patch Tuesday

June patch Tuesday features fixes from Adobe and Microsoft for critical flaws including a remote code vulnerability in Adobe Flash Player.

The June patch Tuesday is out, featuring 88 CVE-level fixes, including 21 rated critical. Adobe, meanwhile, fixes several critical vulnerabilities, including a flaw in Adobe Flash Player marked critical because it could be exploited remotely. 

Adobe published a patch for a Flash Player bug  (CVE-2019-7845), affecting versions and earlier, that lets an attacker exploit the program through a malicious website or an ActiveX control. A successful attacker could run their own code remotely as the current user. The bug affects the Flash Player desktop runtime on Windows, macOS and Linux, along with the Google Chrome, Microsoft Edge, and IE 11 Flash Player plugins.

Also out from Adobe on Tuesday was a fix for critical vulnerabilities in its ColdFusion rapid web application development product. CVE-2019-7838 enables an attacker to bypass a file extension blacklist when uploading a file, while CVE-2019-7839 is an unspecified command injection vulnerability. The third, CVE-2019-7840, is a bug that allows for deserialization of untrusted data (deserialization means unpacking data from a format used to send it somewhere efficiently).

Finally, Adobe patched a critical vulnerability in its Campaign product for marketing professionals which could allow for remote code execution via a command injection flaw. It fixed this vulnerability (CVE-2019-7850) along with several other flaws rated either moderate or important.

Microsoft Edge

Microsoft’s other critical bug this month was in the scripting engine underpinning Microsoft Edge. This is the program that processes scripting languages like JavaScript. The engine doesn’t handle objects properly when running scripts in the Edge browser, meaning that a malicious website could cause it to spill its memory contents.

This bug (CVE-2019-0990) is considered critical on Microsoft Windows 10, and exploitation is likely, the company said. Versions of the bug also affect ChakraCore, Microsoft’s open source JavaScript virtual machine project.

All Microsoft browsers

A memory handling bug in Microsoft browsers could enable attackers to snoop on memory by persuading the user to view malicious content on a website. The bug, CVE-2019-1081, is ranked as important but exploitation is less likely, Microsoft says.

Jet Database

Microsoft fixed a remote code execution (RCE) bug in the Jet database, which underpins several Windows-related services and products. This bug (CVE-2019-0904 through 0909) allows an attacker to compromise a system by persuading someone to open a specially crafted file. It affects Windows 7 through 10, along with Windows Server 2008 through 2019. It gets an ‘important’ severity ranking and is less likely to be exploited, the company said.

Windows GDI

The Windows graphics device interface (GDI) is an intermediary between applications and graphical output devices like the video display and the printer. When software wants to display or print graphics, it does so via the GDI.

The bug, (CVE-2019-0968, 0977, 1009-1013, 1015-1016 & 1046-1050), causes the GDI to reveal what’s in its memory if given a suitably-crafted document or web page. Microsoft ranks it as important, but exploitation is unlikely. Products ranging from Windows 7 to 10 are vulnerable.


Microsoft’s Sharepoint collaboration server sometimes fails to sanitize web requests. This can lead to cross-side scripting (XSS) attacks, Microsoft warned, enabling an attacker to run their own scripts as the current user. They could read and delete unauthorized content, change permissions, and inject malicious content into the user’s browser.

This bug has an ‘important’ severity rating but exploitation is less likely, according to the technical notes. Versions of it (from CVE-2019-1031 through 1033 and 1036), affect various SharePoint-related releases, and Microsoft Project Server 2010.


This memory-handling vulnerability in Word (CVE-2019-1034 through 1036) enables attackers to run arbitrary code by persuading users to open a specially-crafted file or website. Although it’s an RCE bug, Microsoft still only gives it an ‘important’ rating and says that exploitation is less likely.

Windows Kernel

A memory bug in the Windows kernel enables an attacker with the right code to snoop on memory in a user mode process running in the kernel space. This could provide information leading to further compromise of the system, Microsoft warns, but exploitation is less likely. The bug, CVE-2019-1039, gets an ‘important’ rating.

Windows Event Viewer

Microsoft fixed a bug in the Windows Event Viewer, which is the Windows utility that shows logs of application and system messages. The Viewer includes a function that reads XML files. An attacker that sent a specially-crafted XML file could read arbitrary files on the host. This one gets a ‘moderate’ severity rating.


A laughable joke nowadays, “88 CVE-level fixes, including 21 rated critical.” If everything is an emergency, then nothing is an emergency. I’m tired of keeping up with the monthly barrage of critical problems, never mind the important ones, and the patches of patches. The only reason we still use Flash is because our vendor has yet to switch over to HTML5.


Our organization discovered that after applying KB4503276 (June Security rollup) that High Sierra Macs could no longer connect to native Windows print queues (not LPR/LPD) hosted on Server 2012 R2 and Server 2016 servers. That, along with the new bug that crashes Event Viewer whenever a custom view is used is causing headaches.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!