In June, Microsoft managed to fix a total of 88 security vulnerabilities in its products with monthly updates, 21 of which were flagged as critical.
Of the 21 critical issues, 17 vulnerabilities affect scripting engines and browsers (Internet Explorer and Microsoft Edge), so users are advised to update their devices as soon as possible, especially if they are connected to the Internet.
Three different vulnerabilities affect Hyper-V virtualization: CVE-2019-0620, CVE-2019-0709 and CVE-2019-0722. They allow authorized users in the guest systems to have arbitrary code on the host.
Microsoft discloses the details of the problem:
The vulnerability of remote code execution is manifested when the Hyper-V system on the host server cannot correctly process the data entered by an authorized user in the guest operating system. To exploit this vulnerability, an attacker needs to place in the guest system a specially created application that will allow the execution of arbitrary code on the Hyper-V host system.
This problem has not been publicly disclosed, and the company considers the probability of such an attack in real conditions to be very low.
The vulnerability of remote code execution in the Microsoft Speech API, known as CVE-2019-0985, has also been fixed. This vulnerability affects Windows 7 and Windows Server 2008 R2 operating systems. Microsoft notes that in order to conduct an attack, an attacker must force the user to open a specially crafted document with TTS content on the vulnerable machine.
A remote code execution vulnerability has been discovered, which manifests itself when the Microsoft Speech API incorrectly processes speech text input (text-to-speech). This vulnerability causes memory corruption, with the result that an attacker could execute arbitrary code in the context of the current user.
Microsoft also blocked pairing with Bluetooth Low Energy keys that have configuration errors due to the FIDO key security issue.
The company explains the danger of the problem:
Because of incorrect configuration of the Bluetooth pairing protocols, an attacker who is physically close to the victim can interact with the security key or with the paired device for which the key is applied.
There are currently no reports of unsuccessful updates. Users are advised to install security patches as soon as possible to eliminate critical vulnerabilities.