Microsoft has published their monthly security updates, known as Patch Tuesday which patches 88 vulnerabilities out of which 21 has been given the severity “Critical.”
The May 2019 Patch Tuesday also include patches for four of the five zero-days which the security researcher and exploit seller named SandboxEscaper published online during the last month.
Security patches are available for the zero-day
- BearLPE : CVE-2019-1069 : LPE exploit in the Windows Task Scheduler process
- SandboxEscape : CVE-2019-1053 : Sandbox escape for Internet Explorer 11
- CVE-2019-0841-BYPASS : CVE-2019-1064 : Bypass of the CVE-2019-0841 patch
- InstallerBypass : CVE-2019-0973 : LPE targeting the Windows Installer folder
The fixes for the fifth zero-day is not available as details regarding this bug was published just last week and so the patch was not released for it.
Even though the details and proof-of-concept demo exploit code was available for all these four zero-days, none of them were exploited in any malware campaigns. Also, all the 88 vulnerabilities patched this month were also not exploited in the wild either.
Besides patches for Windows and Office products, Microsoft also issued a security advisory about separate firmware updates for HoloLens devices. Four remote code execution (RCE) flaws named CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, and CVE-2019-9503 were patched that impacted the Broadcom wireless chipset included in Microsoft HoloLens devices.
Other patches include the ones for nine RCEs in the Chakra Scripting Engine (included with Edge), four RCEs in the Microsoft Scripting Engine, three RCEs in the Microsoft Hyper-V hypervisor, an RCE in the Microsoft Speech API, and an RCE affecting both Edge and Internet Explorer.
Microsoft warned that some Bluetooth-based security keys might stop working on Windows even after applying the latest patches.This is regarding the Feitian and Google Titan security keys, that has a misconfiguration in the Bluetooth pairing protocols allowing the attacker to interact with the key. So the users of these devices are advised to request for a free replacement which are freely provided by Google and Feitian.
More details regarding the Patch Tuesday updates are available on Microsoft’s official Security Update Guide portal.