Nearing the halfway point of 2019, today's Patch Tuesday sees Microsoft fix 88 vulnerabilities, the highest count so far this year. Nothing this month seems "wormable" like the BlueKeep vulnerability patched in May, and none of them have been seen exploited in the wild. However, four elevation of privilege vulnerabilities had been previously disclosed. It's likely that at least some of these correspond to the vulnerabilities published by the security researcher known as SandboxEscaper over the last several weeks. Two of them, CVE-2019-1064 (AppX Deployment Service) and CVE-2019-1069 (Task Scheduler), affect Windows 10 and later. CVE-2019-1053 (Windows Shell) and CVE-2019-0973 (Windows Installer) both affect all currently supported versions of Windows.

Severity-wise, CVE-2019-1019 is a nasty-looking Security Feature Bypass that could let an attacker steal a session key using a specially crafted NETLOGON message, allowing them to access other systems as the original user. This is known as an NTLM Relay attack. (Note that this is distinct from CVE-2019-9510, an RDP issue that the CERT Coordination Center issued an advisory for on June 4th but Microsoft does not consider a candidate for a security fix.)

CVE-2019-0888 and CVE-2019-0722 are also fairly critical to get patched this month, being remote code execution (RCE) vulnerabilities in ActiveX and Hyper-V respectively. Fixes were also released today for Word, IE, Edge, SharePoint Server and Lync Server. As is often the case, an RCE in Adobe Flash was also fixed (CVE-2019-7845). Some additional fixes that came from other vendors but affect Microsoft products were also published today as security advisories. ADV190017 describes three RCE vulnerabilities affecting HoloLens devices, due to flaws in the Broadcom wireless chipset firmware, and ADV190016 addresses a weakness in the algorithm used when pairing Bluetooth Low Energy security keys. If you have any such keys in your environment, be sure to update the Windows security updates and also check for any advisories from the key manufacturers themselves.

Vulnerability Count by Component

Vulnerability Count by Impact

Vulnerability Count by Severity

CVSSv3 Base Score Distribution
Note: not all CVEs had CVSSv3 data available at the time of writing