Patch Central

JUNE 2019  – Microsoft Patch Tuesday  

The month of June is infamous in the northern hemisphere for many things – weddings, summer vacations, school recess. It also contains the longest day of the year, and the end of the month marks (roughly) the halfway point on the journey toward yet another new year.

For many IT pros, the longest day of any month (or at least the one that feels longest) is Patch Tuesday, especially when Microsoft gets ambitious and releases an especially large slate of security updates. This was one of those months.

The number of vulnerabilities fixed this month might not be Microsoft’s largest ever, but there are substantially more than has been usual lately, with over 40 fixes for most of its operating systems. The good news is that relatively few of them are rated critical.

As the number of patches increases, patch management becomes increasingly important – and given the number of malware authors and attackers out there and their ever-growing level of sophistication and skill, keeping systems updated is only going become more complicated in the future. A good update strategy is one of the best weapons in your arsenal for protecting your organization from expensive and reputation-damaging data breaches.

Now we’ll drill down into some of the specifics of the updates and the vulnerabilities that they address.

As always, the Malicious Software Removal Tool (MSRT) is updated to include the latest malware definitions.

Security Advisories

The following security advisories were released on Patch Tuesday this month:

ADV190015 | June 2019 Adobe Flash Security Update – addresses a use-after-free vulnerability in Adobe Flash for Windows, Linux, macOS, and Chrome OS that is described in Adobe Security Bulletin APSB19-30 (CVE-2019-7845) and which could be exploited to cause remote code execution.

ADV190016 | Bluetooth Low Energy Advisory – advises that Microsoft has blocked pairing of certain Bluetooth Low Energy (BLE) keys due to a misconfiguration in the pairing protocols and that customers using the keys should read the related notifications on Google’s and Feitian’s web sites.

Operating system, OS components, and web browser updates

As usual, Windows 10 has the largest number of vulnerabilities patched this month of the client operating systems. Version 1703 gets fixes for 41 vulnerabilities; version 1709 gets 43; version 1803 gets 45; version 1809 gets 47; version 1903 gets 42.  Four vulnerabilities are considered critical in the two older versions, while three are rated critical in the rest. Remaining vulnerabilities are all rated important.

Windows 10

Depending on the version, forty-one to forty-seven vulnerabilities are fixed in this round of updates. That is roughly twice as many as usual. Windows 10 updates address the following issues:

For more information about the updates, see:

KB4503308 – Adobe Flash Player update.

KB4503279 – Windows 10 version 1703.

KB4503284 – Windows 10 version 1709.

KB4503286 – Windows 10 version 1803.

KB4503327 – Windows 10 version 1809. 

KB4503293 – Windows 10 version 1903.

These include security updates to Microsoft Edge, Internet Explorer, Windows App Platform and Frameworks, Windows Input and Composition, Microsoft Scripting Engine, Windows Media, Windows Shell, Windows Server, Windows Authentication, Windows Datacenter Networking, Windows Cryptography, Windows Storage and Filesystems, Windows Virtualization, Windows SQL Components, Internet Information Services, and the Microsoft JET Database Engine.

They also address the Bluetooth vulnerability discussed above by intentionally preventing connections between Windows and Bluetooth devices that are not secure and use well-known keys to encrypt connections, including security fobs. If BTHUSB Event 22 in the Event Viewer states, “Your Bluetooth device attempted to establish a debug connection….”, then your system is affected.

You can find details about each of the patches in the corresponding KB articles linked to each OS version above.

Older client operating systems

If you’re still using an older supported version of Windows, you’ll still need to be diligent about applying this month’s updates as the same three critical vulnerabilities apply across all versions. Windows 7 has 42 vulnerabilties addressed and  Windows 8.1 has 35.

The following security updates apply to previous Windows operating systems:

• Windows 8.1 and RT 8.1 – KB4503276 (Monthly rollup) and KB4503290 (security only)
• Windows 7 – KB4503292 (Monthly rollup) and KB4503269 (security only)

These updates include fixes for vulnerabilities in the Windows App Platform and Frameworks, Windows Cryptography, Windows Hyper-V, Windows Storage and Filesystems, Windows Fundamentals, Windows Server, Windows Kernel, Windows MSXML, and the Microsoft JET Database Engine.

You can find details about each of the patches in the corresponding KB articles linked to each OS version above.

Windows Server operating systems

The four currently supported versions of Windows Server each have from thirty-four to forty-seven vulnerabilities patched this month, with three or four critical issues, depending on the OS version.

• Windows Server 2008 R2 – KB4503292 — Monthly Rollup. Includes security updates to Windows App Platform and Frameworks, Microsoft Graphics Component, Windows Input and Composition, Windows Shell, Windows Server, Windows Authentication, Windows Datacenter Networking, Windows Storage and Filesystems, Windows Virtualization, Internet Information Services, and the Microsoft JET Database Engine.
• Windows Server 2012 – KB4503285 – Monthly rollup. Addresses a security vulnerability by intentionally preventing connections between Windows and Bluetooth devices that are not secure and use well-known keys to encrypt connections. Addresses an issue that may prevent the Preboot Execution Environment (PXE) from starting a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. Includes security updates to Adobe Flash Player, Windows App Platform and Frameworks, Windows Shell, Windows Input and Composition, Windows Authentication, Windows Server, Windows Cryptography, Windows Storage and Filesystems, Windows Datacenter Networking, Windows Virtualization, Internet Information Services, Windows Kernel, and the Microsoft JET Database Engine.
• Windows Server 2012 R2 – KB4503276 – Monthly rollup. Addresses a security vulnerability by intentionally preventing connections between Windows and Bluetooth devices that are not secure and use well-known keys to encrypt connections. Addresses an issue that may prevent the Preboot Execution Environment (PXE) from starting a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. Includes security updates to Adobe Flash Player, Windows App Platform and Frameworks, Windows Shell, Windows Input and Composition, Windows Authentication, Windows Server, Windows Cryptography, Windows Storage and Filesystems, Windows Datacenter Networking, Windows Virtualization, Internet Information Services, Windows Kernel, and the Microsoft JET Database Engine. Addresses an issue with the HTTP and HTTPS string character limit for URLs when using Internet Explorer.
• Windows Server 2016 – KB4503267 – Monthly rollup. Addresses an issue that may cause authentication to fail when using Windows Hello for Business on Windows Server 2016 with the Server Core option installed. Addresses a security vulnerability by intentionally preventing connections between Windows and Bluetooth devices that are not secure and use well-known keys to encrypt connections. Addresses an issue that may prevent the Preboot Execution Environment (PXE) from starting a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. ddresses an issue that may prevent Internet Explorer 11 from opening if the Default Search Provider is not set or is malformed. Includes security updates to Microsoft Edge, Microsoft Scripting Engine, Internet Explorer, Windows App Platform and Frameworks, Windows Input and Composition, Windows Media, Windows Shell, Windows Server, Windows Authentication, Windows Datacenter Networking, Windows Storage and Filesystems, Windows Virtualization, Internet Information Services, and the Microsoft JET Database Engine.

Microsoft web browsers

Microsoft Internet Explorer 11 gets patches for seven vulnerabilities this time around, five of them critical, while Edge doubles that number with fourteen fixes, twelve of which are for critical issues.

The following security updates apply to Microsoft’s web browsers:

• KB4503259 – Cumulative security update for Internet Explorer. Resolves several reported Scripting Engine memory corruption vulnerabilities in Internet Explorer.

Critical vulnerabilities

The following are some critical vulnerabilities addressed by this month’s updates:

• • CVE-2019-0620 – Windows Hyper-V Remote Code Execution Vulnerability. A remote code execution vulnerability that exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system.
  • CVE-2019-0709 – Windows Hyper-V Remote Code Execution Vulnerability. A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system.
  • CVE-2019-0722 – Windows Hyper-V Remote Code Execution Vulnerability. A remote code execution vulnerability that exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system.
  • CVE-2019-0888 –  ActiveX Data Objects (ADO) Remote Code Execution Vulnerability. A remote code execution vulnerability in the way that ActiveX Data Objects (ADO) handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code with the victim user’s privileges.

• CVE-2019-0985 – Microsoft Speech API Remote Code Execution Vulnerability. A remote code execution vulnerability exists when the Microsoft Speech API (SAPI) improperly handles text-to-speech (TTS) input.