Microsoft has published the release notes for its latest batch of security updates for Windows and accompanying software such as IE, Edge, Office and Skype. There were 88 vulnerabilities addressed in total, a number which includes four zero-day flaws, and 21 labelled as critical vulnerabilities, reports Computing. Microsoft advises all users to install this latest set of Patch Tuesday updates immediately. Luckily there is no evidence of any of the vulnerabilities being exploited 'in the wild'.
The four zero-day flaws that are now patched are all elevation of privilege flaws which affected; Windows (CVE-2019-1064), Windows Task Scheduler (CVE-2019-1069), escaping a sandbox from Windows Shell (CVE-2019-1053), and the Windows Installer (CVE-2019-0973). These four vulnerabilities were highlighted in the SandboxEscaper GitHub page last month.
Another couple of updates, CVE-2019-1019 and CVE-2019-1040, were necessary to stop attackers remotely running malicious code on any Windows machine, or authenticating any web server supporting Windows Integrated Authentication. A wormable vulnerability, CVE-2019-0708, which existed in Remote Desktop Services and allowed remote code execution has been patched.
Outside of Microsoft's first party wares, there is a critical update for Flash Player, several fixed for a Broadcom wireless network driver, as well as blocks at OS-level put in place for selected Bluetooth Low Energy FIDO security keys with known pairing vulnerabilities.