12
Jun 19

Microsoft Patch Tuesday, June 2019 Edition

Microsoft on Tuesday released updates to fix 88 security vulnerabilities in its Windows operating systems and related software. The most dangerous of these include four flaws for which there is already exploit code available. There’s also a scary bug affecting all versions of Microsoft Office that can be triggered by a malicious link or attachment. And of course Adobe has its customary monthly security update for Flash Player.

Microsoft says it has so far seen no exploitation against any of the four flaws that were disclosed publicly prior to their patching this week — nor against any of the 88 bugs quashed in this month’s release. All four are privilege escalation flaws: CVE-2019-1064 and CVE-2019-1069 affect Windows 10 and later; CVE-2019-1053 and CVE-2019-0973 both affect all currently supported versions of Windows.

Most of the critical vulnerabilities — those that can be exploited by malware or miscreants to infect systems without any action on the part of the user — are present in Microsoft’s browsers Internet Explorer and Edge.

According to Allan Liska, senior solutions architect at Recorded Future, serious vulnerabilities in this month’s patch batch reside in Microsoft Word (CVE-2019-1034 and CVE-2019-1035).

“This is another memory corruption vulnerability that requires an attacker to send a specially crafted Microsoft Word document for a victim to open, alternatively an attacker could convince a victim to click on a link to a website hosting a malicious Microsoft Word document,” Liska wrote. “This vulnerability affects all versions of Microsoft Word on Windows and Mac as well as Office 365. Given that Microsoft Word Documents are a favorite exploitation tool of cybercriminals, if this vulnerability is reverse engineered it could be widely exploited.”

Microsoft also pushed an update to plug a single critical security hole in Adobe’s Flash Player software, which is waning in use but it still is a target for malware purveyors. Google Chrome auto-updates Flash but also is now making users explicitly enable Flash every time they want to use it. By the summer of 2019 Google will make Chrome users go into their settings to enable it every time they want to run it.

Firefox also forces users with the Flash add-on installed to click in order to play Flash content; instructions for disabling or removing Flash from Firefox are here. Adobe will stop supporting Flash at the end of 2020.

Note that Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. To get there, click the Windows key on your keyboard and type “windows update” into the box that pops up.

Staying up-to-date on Windows patches is good. Updating only after you’ve backed up your important data and files is even better. A good backup means you’re not pulling your hair out if the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches.

As always, if you experience any problems installing any of the patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.

Additional reading:

Martin Brinkmann’s take at Ghacks.net

Qualys on Patch Tuesday

SANS’s quick reference by severity

Tags: , , , , , , , ,

33 comments

  1. Will you marry me?

  2. All the patches installed on my W10H and W7U machines yesterday, but there was an additional core update (not a malware definitions update) this morning for the W10 machines running v1809 (signed as 2019-02) that took awhile; both digested it okay.

  3. The Sunshine State

    It took me 6 hours to install Windows 10(1903) on a ASUS Republic of Gaming laptop. One black screen of death, one roll back to 1809 and a real nice Blue Screen of Death to complete the whole thing.

  4. Everything installed properly on my W10 Pro machine running 1809 yesterday evening, including the 2019-02 update.

  5. It apparently broke custom views in Event Viewer for 1809 and 1903.

    Ghacks and BleepingComputer have both reported it.

  6. Since installing when I turn on my computer in the morning it boots with a “You have been logged in with a temporary profile” error. Looks like a fresh install, all docs are gone..etc. When I shut down and reboot it boots correctly.

  7. After installing KB4503276 onto Win2012 R2, none of our OSX Macs can connect to the Windows print queues. Most of the Macs are High Sierra. Removing KB4503276 restored print queue access.

  8. One of the patches decided to remove my TAP network device so that I couldn’t use my vpn to connect back to the office. Somewhat of a pain to find a solution as just adding one back didn’t work.

    I had to find a script to remove all the Windows TAP drivers and then reinstall openvpn in order for it to function again.

  9. Virus e-mail links can never be fixed with patches and updates. Wishful thinking.

  10. Windows attempted an automatic update today which crashed the computer and it will not complete booting up. Just goes into a loop periodically showing the wallpaper but never prompts for the PIN. Rebooting doesn’t help. Now what?

    • I once had that happen to my grandmother’s computer. The weird thing that worked was to do the update in safe mode.

      Every computer is different, but with hers, the sequence was: hold down f12 on reboot, go to the BIOS thing, select “start in safe mode” then let it boot the rest of the way with nothing plugged in. Then do the update. After, reboot normally, then plug in peripherals.

      I’m guessing that maybe her printer or mouse or something was interfering with the update. Or one of the background programs, like antivirals. Not sure why.

    • Andree Conley-Kapoi

      My computer (2 1/2 yr old Dell) completely crashed and can not reset- going to buy new computer — Mahalo

  11. update done on Dell laptop today and File Explorer will now not work and wallpaper has been removed. Rebooting doesn’t make any difference.

  12. Why do you keep posting microsoft patch updates?
    It’s public knowledge microsoft puts backdoors in there software, really doesn’t matter what “security patches” they release, using microsoft is a huge security threat as it is.

    Why don’t you talk about linux??

    • Bingo !!! You certainly nailed it. Hackers are reading all of this and taking notes and that’s why I entered a fake email.

    • I am a certified Linux engineer and have been using and implementing it religiously since 97. With that being said, most businesses NEED to run Windows on the desktop. Business Applications are not typically designed for Linux desktops. So, yes, you could create Win VMs and run them within a *nix OS but what does that get you? Nothing but more complex problems and overhead. It’s like when management wants to use a Mac but their underlying infrastructure is pure Windows with Windows only apps. You then need to create a Terminal Services server and create RDCs to a Windows environment just so they can say they use a Mac at work but in reality they are using a Windows session via a Mac.

      Thanks Brian, I appreciate your condensed version with your comments regarding Patch Tuesday. The comments section saved our Windows team when the patch was released several months ago that broke SMB! Our teams read Krebs regularly and that was the first place they had noticed the SMB issue so they waited to patch after the fix was pushed out via WSUS.

  13. Laptop updates today on restart black screen only. Cannot get past log in, have had to change pin and password.Nothing will work. Just black screen and cursor. Dead

  14. My father called me yesterday morning to report that his Windows 10 system was telling him that there “no bootable devices found”. Being the computer guy in the family (albeit with a Linux bent, rather than Windows) I went to his place after work and looked at it. He’d already had Windows run checks on the disk/memory/etc. I booted the workstation to a USB Linux image and I was able to mount the disk without problems. I ultimately fixed the problem by going into the BIOS –> Settings –> General –> Boot Sequence and creating a new boot sequence. Being a Linux guy, I didn’t know what I was doing…I just browsed to a likely looking file and tried it. To my surprise and delight, it booted the system, and I was presented with a message from Windows telling me that the update had failed and was being backed-out; Once I saw this, it was pretty clear what had caused the boot failure. The system was ultimately able to boot without any obvious problems, and then I restored the BIOS settings to their original state, and it booted successfully again. My father hasn’t reported any problems with the computer since then. I stopped by his place again tonight and tried to run the Windows Update manually, and it failed. At least this time it didn’t leave the computer unbootable.

  15. After installing win 10 in my Lenovo z570 .it shutdown automatically why?

  16. Call you father iin law, have him run the win 10 program from the command line, called MRT. Either case, it’s one of those hidden programs, that ms has, to annoy people. It looks like a virus checker, and indexer. But updates are usually found after time I run it.

    • MRT is a Microsoft rootkit search and removal tool normally run by Windows Update.

      It does not annoy people who can type MRT in an effort to learn what they don’t know. It is not part of any conspiracy.

      It is part of an effort by Microsoft to ramp up security in Windows 10. They have done a great job and deserve credit for it.

      The updates ran fine for me as they always do.

  17. CHC of Asheville

    Update caused other PCs on home network to become invisible/require login credentials… turned out that the “password protected sharing” setting under “all networks” got flipped to true.

  18. Multiple bluescreens on an Acer ASpire F 15, cannot even repair with “sfc /scannow” or restore point as it craps out partway through. This update fried my OS.

  19. David Skerritt

    I updated to the new feature update about a week ago no problems, but after this June 2019 Patch Tuesday update Windows 10 will not finish booting up. Its gets to lock screen, I type password, then after about 5 minutes it hangs. I’ve done a recovery to before the update and all is well. I set the updates to not install for I think 35 days. Hoping July Patch Tuesday update will install correctly.

  20. Trashed system

    There should be three independent partitions or drives. The first is the operating system. The second is software and device drivers. The third is data. If the operating system is trashed, as happened to me this week by a failed update, the operating system can by replaced without losing software or data.

  21. haven’t we just about had enough?

    i switched off updates on m virtual guest Win8 nachine and disabled access to the network

  22. Windows flaws and updates have been the leading cause of failure to boot, and unrecoverable crashes then malware or viruses in my experience, using normal (abnormal, as most don’t?) internet precautions. Like scanning files off the internet with Jotties malware scan (uses a dozen or more virus scanners for files less than 25mb), not clicking on every “free xbox” ad, or on email attachments etc.

    Macrium Reflect is a free program that can restore Windows from a bootable recovery DVD the program can make, in only 20 minutes or up to an hour. I get a repeat backups to a normally unplugged USB drive every 2-3 months.

  23. Douglass H Starkey

    Installed 1903 on my Lenovo just got black screen & continuous circle. Rebooted several times, the same thing. Finally, I had to reset
    the laptop and lost all apps. Thanks, Microsoft

Leave a comment