June 12, 2019

Microsoft on Tuesday released updates to fix 88 security vulnerabilities in its Windows operating systems and related software. The most dangerous of these include four flaws for which there is already exploit code available. There’s also a scary bug affecting all versions of Microsoft Office that can be triggered by a malicious link or attachment. And of course Adobe has its customary monthly security update for Flash Player.

Microsoft says it has so far seen no exploitation against any of the four flaws that were disclosed publicly prior to their patching this week — nor against any of the 88 bugs quashed in this month’s release. All four are privilege escalation flaws: CVE-2019-1064 and CVE-2019-1069 affect Windows 10 and later; CVE-2019-1053 and CVE-2019-0973 both affect all currently supported versions of Windows.

Most of the critical vulnerabilities — those that can be exploited by malware or miscreants to infect systems without any action on the part of the user — are present in Microsoft’s browsers Internet Explorer and Edge.

According to Allan Liska, senior solutions architect at Recorded Future, serious vulnerabilities in this month’s patch batch reside in Microsoft Word (CVE-2019-1034 and CVE-2019-1035).

“This is another memory corruption vulnerability that requires an attacker to send a specially crafted Microsoft Word document for a victim to open, alternatively an attacker could convince a victim to click on a link to a website hosting a malicious Microsoft Word document,” Liska wrote. “This vulnerability affects all versions of Microsoft Word on Windows and Mac as well as Office 365. Given that Microsoft Word Documents are a favorite exploitation tool of cybercriminals, if this vulnerability is reverse engineered it could be widely exploited.”

Microsoft also pushed an update to plug a single critical security hole in Adobe’s Flash Player software, which is waning in use but it still is a target for malware purveyors. Google Chrome auto-updates Flash but also is now making users explicitly enable Flash every time they want to use it. By the summer of 2019 Google will make Chrome users go into their settings to enable it every time they want to run it.

Firefox also forces users with the Flash add-on installed to click in order to play Flash content; instructions for disabling or removing Flash from Firefox are here. Adobe will stop supporting Flash at the end of 2020.

Note that Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. To get there, click the Windows key on your keyboard and type “windows update” into the box that pops up.

Staying up-to-date on Windows patches is good. Updating only after you’ve backed up your important data and files is even better. A good backup means you’re not pulling your hair out if the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches.

As always, if you experience any problems installing any of the patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.

Additional reading:

Martin Brinkmann’s take at Ghacks.net

Qualys on Patch Tuesday

SANS’s quick reference by severity

65 thoughts on “Microsoft Patch Tuesday, June 2019 Edition

  1. J. Spencer

    The June update hosed my Windows 7 Pro Dell home server. I know its out of date tech, but its worked flawlessly for years, until this update. The update seems to have done something to the OEM Intel grahics driver, and now the system shuts down on its own and the sever has to be restarted, ar whuch point, the “Windows Failed to Shut Down Propetly” screen appears, of course.

    Using Windows Restore to roll back 10 days to a point before this buggy update. Fingers crossed.

  2. John

    Does anyone know if the MS Word exploit works if the document is opened with Libre Office rather than MS’s application?

  3. Altus

    I have a very strange issue with the 1903 upgrade on one Lenovo E5070 notebook.
    Out of a total of 38 machines that received the feature update, this is the only one that is giving me issues.
    Once the update successfully completes, Outlook 2016 is no longer able to connect to the on-site Exchange server. It just stays in a disconnected state.
    All the other machines have a similar software configuration and is working like a charm. I have completely removed the Office 2016 Pro package, but to no avail.
    Please help!!

  4. Mike G

    I STUPIDLY allowed “HP Assistant” to update my computer .(bit like asking a Lemming to hold hands on your web along the cliff path) about 5 ago. An HP Pavilion. It promptly made the computer unusable and refused to do anything at all, would not go back to earlier restore point or anything at all. Now gone back to HP. DOH !

Comments are closed.