The June patch Tuesday is out, featuring 88 CVE-level fixes, including 21 rated critical. Adobe, meanwhile, fixes several critical vulnerabilities, including a flaw in Adobe Flash Player marked critical because it could be exploited remotely.
Adobe published a patch for a Flash Player bug (CVE-2019-7845), affecting versions 126.96.36.199 and earlier, that lets an attacker exploit the program through a malicious website or an ActiveX control. A successful attacker could run their own code remotely as the current user. The bug affects the Flash Player desktop runtime on Windows, macOS and Linux, along with the Google Chrome, Microsoft Edge, and IE 11 Flash Player plugins.
Also out from Adobe on Tuesday was a fix for critical vulnerabilities in its ColdFusion rapid web application development product. CVE-2019-7838 enables an attacker to bypass a file extension blacklist when uploading a file, while CVE-2019-7839 is an unspecified command injection vulnerability. The third, CVE-2019-7840, is a bug that allows for deserialization of untrusted data (deserialization means unpacking data from a format used to send it somewhere efficiently).
Finally, Adobe patched a critical vulnerability in its Campaign product for marketing professionals which could allow for remote code execution via a command injection flaw. It fixed this vulnerability (CVE-2019-7850) along with several other flaws rated either moderate or important.
All Microsoft browsers
A memory handling bug in Microsoft browsers could enable attackers to snoop on memory by persuading the user to view malicious content on a website. The bug, CVE-2019-1081, is ranked as important but exploitation is less likely, Microsoft says.
Microsoft fixed a remote code execution (RCE) bug in the Jet database, which underpins several Windows-related services and products. This bug (CVE-2019-0904 through 0909) allows an attacker to compromise a system by persuading someone to open a specially crafted file. It affects Windows 7 through 10, along with Windows Server 2008 through 2019. It gets an ‘important’ severity ranking and is less likely to be exploited, the company said.
The Windows graphics device interface (GDI) is an intermediary between applications and graphical output devices like the video display and the printer. When software wants to display or print graphics, it does so via the GDI.
The bug, (CVE-2019-0968, 0977, 1009-1013, 1015-1016 & 1046-1050), causes the GDI to reveal what’s in its memory if given a suitably-crafted document or web page. Microsoft ranks it as important, but exploitation is unlikely. Products ranging from Windows 7 to 10 are vulnerable.
Microsoft’s Sharepoint collaboration server sometimes fails to sanitize web requests. This can lead to cross-side scripting (XSS) attacks, Microsoft warned, enabling an attacker to run their own scripts as the current user. They could read and delete unauthorized content, change permissions, and inject malicious content into the user’s browser.
This bug has an ‘important’ severity rating but exploitation is less likely, according to the technical notes. Versions of it (from CVE-2019-1031 through 1033 and 1036), affect various SharePoint-related releases, and Microsoft Project Server 2010.
This memory-handling vulnerability in Word (CVE-2019-1034 through 1036) enables attackers to run arbitrary code by persuading users to open a specially-crafted file or website. Although it’s an RCE bug, Microsoft still only gives it an ‘important’ rating and says that exploitation is less likely.
A memory bug in the Windows kernel enables an attacker with the right code to snoop on memory in a user mode process running in the kernel space. This could provide information leading to further compromise of the system, Microsoft warns, but exploitation is less likely. The bug, CVE-2019-1039, gets an ‘important’ rating.
Windows Event Viewer
Microsoft fixed a bug in the Windows Event Viewer, which is the Windows utility that shows logs of application and system messages. The Viewer includes a function that reads XML files. An attacker that sent a specially-crafted XML file could read arbitrary files on the host. This one gets a ‘moderate’ severity rating.