Microsoft has issued patches for 88 vulnerabilities this patch Tuesday. Of the vulnerabilities, 20 were rated critical. One servicing stack and 4 advisories were also released in the update. Microsoft stated that there was no evidence to suggest that threat actors had been actively exploiting the vulnerabilities in the wild.
SandboxEscaper, a security researcher, identified four of the vulnerabilities and made the public aware of their existence. Microsoft quickly issued patches to address these vulnerabilities. SandboxEscaper has identified several zero-day flaws in Windows and has developed PoC exploits. The researcher usually publically discloses the flaws without giving Microsoft prior notice. This is sometimes a dangerous business; previously, some of the exploits developed by SandboxEscaper have been used in real-world attacks.
Microsoft has patched the latest 4 privilege escalation exploits before they can be exploited. These are CVE-2019-1069, CVE-2019-0973, CVE-2019-1064, and CVE-2019-1053. An ‘important’ rating was given to all four flaws, with three being rated “exploitation more likely.”
The critical vulnerabilities are present in Windows, Microsoft Scripting engines, and Microsoft Browsers. Microsoft said that threat actors could exploit the flaws to gain remote code execution abilities and steal information. Therefore, individuals should implement the patches swiftly.
Critical Vulnerabilities
- Microsoft Browsers – Microsoft Browser Memory Corruption Vulnerability – CVE-2019-1038
- Microsoft Graphics Component – Microsoft Speech API Remote Code Execution Vulnerability – CVE-2019-0985
- Microsoft Scripting Engine – Chakra Scripting Engine Memory Corruption Vulnerabilities – CVE-2019-1002, CVE-2019-0991, CVE-2019-0992, CVE-2019-1024, CVE-2019-0989, CVE-2019-1052, CVE-2019-01051, CVE-2019-1003
- Microsoft Scripting Engine – Scripting Engine Memory Corruption Vulnerabilities – CVE-2019-0988, CVE-2019-1055, CVE-2019-0920
- Microsoft Scripting Engine – Scripting Engine Information Disclosure Vulnerabilities – CVE-2019-1023, CVE-2019-0990
- Microsoft Windows – Windows Hyper-V Remote Code Execution Vulnerabilities – CVE-2019-0722, CVE-2019-0620
- The advisories concern vulnerabilities in third party software – Adobe Flash Player (ADV190015); Microsoft Devices (ADV190016; ADV190016); and Microsoft Exchange Server (ADV190018).
Adobe has issued 11 patches for vulnerabilities in Adobe ColdFusion, Flash Player, and Adobe Campaign. Three patches have been released for ColdFusion (CVE-2019-7838, CVE-2019-7839, CVE-2019-7840); one for Adobe Flash (CVE-2019-7845) and 7 for Campaign, including the critical vulnerability CVE-2019-7843.