- Microsoft released their June security update, and it fixes 88 vulnerabilities on Windows 10.
- Out of these, 19 are of critical severity, and another 65 are classified as important.
- Unfortunately, several of the zero-day flaws that were revealed last month weren’t addressed by this patch.
With all that was unveiled last month, Microsoft engineers had a lot of work to do for this month’s Windows 10 bug-fixing and security-bolstering update. We have seen multiple zero-day flaw revelations by hacker “SandboxEscaper”, accompanied by the relevant proof of concept code on GitHub, and we also saw Notepad exploitation by a Google Project Zero researcher who shared the details with Microsoft alone. Not all of these were covered by this month’s patch, showing that the process of plugging a flaw, passing it through testing, and rolling it out as part of an update is not very versatile. This means that several zero-day flaws will have to wait until next month, which puts users at risk for an extended period.
So, what do the 88 flaws that were fixed concern? Nineteen of them are rated “critical”, another 65 are classified as “important”, and four of them are of lesser importance. Here is a list with the most notable fixes, as they have been cherry-picked by the Cisco Talos team:
- Eight flaws that concern memory corruption vulnerabilities have to do with the Chakra scripting engine, the Internet Explorer’s JScript module. An attacker could exploit one of these eight flaws to create a specially crafted website and gain control of the system through a memory corruption exploitation.
- CVE-2019-0620 remote execution vulnerability in Windows Hyper-V that allows an attacker to run a malicious application on a guest OS that could result in arbitrary code execution to the host OS, requiring no validation at all.
- CVE-2019-0888 remote execution flaw in the ActiveX Data Objects, which allows an attacker to use a malicious website to execute code in the victim’s machine.
- CVE-2019-1065 is a Windows kernel object mishandling problem that can potentially lead to an elevation of privilege. Again, for the attack to work, the actor would need to run a malicious application on the system.
- CVE-2019-0948 is a moderate-severity information disclosure vulnerability that plagues the Windows Event Manager. An attacker exploiting this vulnerability could potentially read files via an XML external entity declaration.
The above is of course only a couple of examples of what has been fixed with this latest update, as the list counts 88 flaws. If you want to keep your Windows 10 as safe as it can be right now, apply the patch immediately and restart your system for the installation to take place. As for the zero-day flaws that Microsoft didn’t have the time to release fixes for, they may do so with an intermediate update rolled out in a week or two.