This month’s Microsoft Patch Tuesday addresses 88 vulnerabilities with 21 of them labeled as Critical. Of the 21 Critical vulns, 17 are for scripting engines and browsers, and 3 are potential hypervisor escapes in Hyper-V. The remaining vulnerability is an RCE in the Microsoft Speech API. Microsoft also issued guidance on Bluetooth Low Energy FIDO keys, HoloLens, and Microsoft Exchange. Adobe issues patches today for Flash, ColdFusion, and Campaign.
Workstation Patches
Scripting Engine and Browser patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Hyper-V Hypervisor Escape
Three remote code execution vulnerabilities are patched in Hyper-V that would allow an authenticated user on a guest system to run arbitrary code on the host system. Microsoft notes that exploitation of this vulnerability is less likely, but these patches should still be prioritized for Hyper-V systems.
Microsoft Speech API RCE
A remote code execution vulnerability exists in the Microsoft Speech API. This impacts Windows 7 and Server 2008 R2 and requires a user to open a malicious document in order to exploit.
Adobe Patch Tuesday
Adobe released updates today for Flash, ColdFusion, and Campaign. The Flash update fixes one critical CVE and should be prioritized for workstations that have Flash installed. The ColdFusion updates address three vulnerabilities of various types, all labeled as Critical. Anyone running a ColdFusion server should test and patch as soon as possible. The Adobe Campaign patch addresses 7 different vulnerabilities, with one labeled as Critical.
Executive Summary
- Microsoft released security updates for all supported versions of the Windows operating system in June 2019.
- All client and server versions have critically rated vulnerabilities patched.
- Microsoft released security updates for other products such as Internet Explorer, Microsoft Edge, Microsoft Office, Azure, Microsoft Exchange Server, and Skype.
Operating System Distribution
- Windows 7: 42 vulnerabilities of which 3 are rated critical and 39 are rated important
- CVE-2019-0722 | Windows Hyper-V Remote Code Execution Vulnerability
- CVE-2019-0888 | ActiveX Data Objects (ADO) Remote Code Execution Vulnerability
- CVE-2019-0985 | Microsoft Speech API Remote Code Execution Vulnerability
- Windows 8.1: 35 vulnerabilities of which 3 are rated critical and 32 are rated important
- same as 1903
- Windows 10 version 1703: 41 vulnerabilities of which 4 is critical and 37 are important
- same as 1709
- Windows 10 version 1709: 43 vulnerabilities of which 4 is critical and 39 are important
- CVE-2019-0709 | Windows Hyper-V Remote Code Execution Vulnerability
- same as 1903
- Windows 10 version 1803: 45 vulnerabilities of which 3 are critical and 43 are important
- same as 1903
- Windows 10 version 1809: 47 vulnerabilities of which 3 are critical and 44 are important
- same as 1903
- Windows 10 version 1903: 42 vulnerabilities of which 3 are critical and 39 are important.
- CVE-2019-0620 | Windows Hyper-V Remote Code Execution Vulnerability
- CVE-2019-0722 | Windows Hyper-V Remote Code Execution Vulnerability
- CVE-2019-0888 | ActiveX Data Objects (ADO) Remote Code Execution Vulnerability
Windows Server products
- Windows Server 2008 R2: 42 vulnerabilities: 3 are critical and 39 are important.
- CVE-2019-0722 | Windows Hyper-V Remote Code Execution Vulnerability
- CVE-2019-0888 | ActiveX Data Objects (ADO) Remote Code Execution Vulnerability
- CVE-2019-0985 | Microsoft Speech API Remote Code Execution Vulnerability
- Windows Server 2012 R2: 34 vulnerabilities: 3 are critical and 31 are important.
- Same as Server 2019
- Windows Server 2016: 39 vulnerabilities: 4 are critical and 35 are important
- CVE-2019-0709 | Windows Hyper-V Remote Code Execution Vulnerability
- Same as Server 2019
- Windows Server 2019: 47 vulnerabilities: 3 are critical and 44 are important.
- CVE-2019-0620 | Windows Hyper-V Remote Code Execution Vulnerability
- CVE-2019-0722 | Windows Hyper-V Remote Code Execution Vulnerability
- CVE-2019-0888 | ActiveX Data Objects (ADO) Remote Code Execution Vulnerability
Known Issues
Windows 7 SP1 and Server 2008 R2
- Issue with McAfee Enterprise products that may cause the system to have slow startups or become unresponsive.
- Internet Explorer 11 may stop working when “loading or interacting with Power BI reports”.
- Workaround: republish with Markers turned off.
Windows 8.1 and Server 2012 R2
- Same as Windows 7 SP1 and Server 2008 R2
- Certain operations on Cluster Shared Volumes still fail. Workaround is still valid.
Windows 10 version 1709, 1803
- Certain operations on Cluster Shared Volumes still fail. Workaround is still valid.
Windows 10 version 1809
- Certain operations on Cluster Shared Volumes still fail. Workaround is still valid.
- A printing issue in Microsoft Edge and other UWP apps that throws “Your printer has experienced an unexpected configuration problem. 0x80070007e.” errors.
- Workaround: use another browser to print.
- Error “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND”after installing KB4493509 on devices with certain Asian languages.
Windows 10 version 1903
- Windows Sandbox may fail to start with ERROR_FILE_NOT_FOUND (0x80070002)
Direct update downloads
Windows 7 SP1 and Windows Server 2008 R2 SP
- KB4503292— 2019-06 Security Monthly Quality Rollup for Windows 7
- KB4503269— 2019-06 Security Only Quality Update for Windows 7
Windows 8.1 and Windows Server 2012 R2
- KB4503276— 2019-06 Security Monthly Quality Rollup for Windows 8.1
- KB4503290— 2019-06 Security Only Quality Update for Windows 8.1
Windows 10 (version 1709)
- KB4503279 — 2019-06 Cumulative Update for Windows 10 Version 1709
Windows 10 (version 1803)
- KB4503286— 2019-06 Cumulative Update for Windows 10 Version 1803
Windows 10 (version 1809)
- KB4503327 — 2019-06 Cumulative Update for Windows 10 Version 1809
Windows 10 (version 1903)
- KB4503293— 2019-06 Cumulative Update for Windows 10 Version 1809