This month’s Microsoft Patch Tuesday addresses 88 vulnerabilities with 21 of them labeled as Critical. Of the 21 Critical vulns, 17 are for scripting engines and browsers, and 3 are potential hypervisor escapes in Hyper-V. The remaining vulnerability is an RCE in the Microsoft Speech API. Microsoft also issued guidance on Bluetooth Low Energy FIDO keys, HoloLens, and Microsoft Exchange. Adobe issues patches today for Flash, ColdFusion, and Campaign.
Scripting Engine and Browser patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Hyper-V Hypervisor Escape
Three remote code execution vulnerabilities (CVE-2019-0620, CVE-2019-0709, and CVE-2019-0722) are patched in Hyper-V that would allow an authenticated user on a guest system to run arbitrary code on the host system. Microsoft notes that exploitation of this vulnerability is less likely, but these patches should still be prioritized for Hyper-V systems.
Microsoft Speech API RCE
A remote code execution vulnerability (CVE-2019-0985) exists in the Microsoft Speech API. This impacts Windows 7 and Server 2008 R2, and requires a user to open a malicious document in order to exploit.
Microsoft also issued several advisories:
- ADV190016 Disables the ability to use certain Bluetooth Low Energy FIDO security keys, due to a vulnerability that was disclosed in May. Google and Feitian have issued advisories for customers of these keys.
- ADV190017 fixes several vulnerabilities in HoloLens that could allow an unauthenticated attacker to DoS or compromise HoloLens devices if they are in close proximity.
- ADV190018 refers to a “Microsoft Exchange Server Defense in Depth Update,” but there are no details provided around the update as of the time of this writing.
Adobe Patch Tuesday
Adobe released updates today for Flash, ColdFusion, and Campaign. The Flash update fixes one critical CVE, and should be prioritized for workstations that have Flash installed. The ColdFusion updates address three vulnerabilities of various types, all labeled as Critical. Anyone running a ColdFusion server should test and patch as soon as possible. The Adobe Campaign patch addresses 7 different vulnerabilities, with one labeled as Critical.