14 DAY TRIAL // Microsoft has released this month’s Patch Tuesday security updates to resolve a total of 88 vulnerabilities in its products, and this time there are no less than 21 critical flaws being resolved.
Out of these 21 critical vulnerabilities, 17 impact scripting engines and browsers (Internet Explorer and Microsoft Edge), so customers are highly recommended to update their devices especially if they’re using these applications on Internet-connected devices.
Three different vulnerabilities affect Hyper-V, namely CVE-2019-0620, CVE-2019-0709, and CVE-2019-0722, and they allow authenticated users on guest systems to run arbitrary code.
“A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code,” Microsoft explains.
This flaw wasn’t publicly disclosed and the company says it’s not aware of any exploits out in the wild.
BLE advisory
There’s also an RCE flaw in the Microsoft Speech API and documented in CVE-2019-0985. This vulnerability affects Windows 7 and Windows Server 2008 R2, and Microsoft says the attack involves the user launching a crafted document with TTS content on a vulnerable device.
“A remote code execution vulnerability exists when the Microsoft Speech API (SAPI) improperly handles text-to-speech (TTS) input. The vulnerability could corrupt memory in a way that enables an attacker to execute arbitrary code in the context of the current user,” Microsoft says.
Microsoft also blocks the pairing of Bluetooth Low Energy Keys with pairing misconfiguration due to an issue affecting FIDO Security Keys.
“Due to a misconfiguration in the Bluetooth pairing protocols, it is possible for an attacker who is physically close to a user at the moment he/she uses the security key to communicate with the security key, or communicate with the device to which the key is paired,” it says.
There are no reports of botched updates just yet, and users are recommended to install them ASAP especially because critical security vulnerabilities are resolved.