Microsoft releases 12 updates patching 49 vulnerabilities in June Patch Tuesday

Long-standing 'always listening' flaw in Cortana among 49 patched vulnerabilities

Microsoft has released 12 updates intended to patch a total of 49 security vulnerabilities in its June Patch Tuesday.

The updates will patch flaws in Windows, Office, SharePoint, and the Internet Explorer and Edge web browsers, and include a patch to an ‘elevation of privilege vulnerability' in Cortana, Microsoft's smart assistant built-in to Windows 10.

Among the patches are fixes for Spectre Variant 4 or ‘speculative store bypass', a security flaw affecting PCs with Intel microprocessors. This will require some extra measures to fully fix, according to Microsoft guidance.

This security flaw could enable an attacker to bypass a user's security via JavaScript code run in a browser.

"An attacker who has successfully exploits this vulnerability may be able to read privileged data across trust boundaries," warns the Microsoft guidance.

It continues: "Vulnerable code patterns in the operating system (OS) or in applications could allow an attacker to exploit this vulnerability.

"In the case of Just-in-Time (JIT) compilers, such as JavaScript JIT employed by modern web browsers, it may be possible for an attacker to supply JavaScript that produces native code that could give rise to an instance of CVE-2018-3639.

"However, Microsoft Edge, Internet Explorer, and other major browsers have taken steps to increase the difficulty of successfully creating a side channel."

The patches also cover flaws in the Windows DNSAPI that could, according to security firm Qualys, "enable an attacker to compromise a systems through a malicious DNS server", and a critical flaw in Microsoft's HTTP.sys kernel-mode protocol listener used by the IIS web server and various services in Windows.

Lane Thames, a senior security researcher at Tripwire, highlighted a particular update to patch a long-standing flaw with Cortana that left Cortana always listening for commands, even when the PC is locked.

"The advisory states that ‘Cortana retrieves data from user input services without consideration for status'," said Thames.

He continued: "It is not immediately obvious what ‘status' means, but it appears to be that Cortana is listening to commands even when the machine is locked… Google shows that this vulnerability (or a part of it) was identified months ago and was initially discussed in March 2018 at the Kaspersky SAS 2018 conference.

"This particular vulnerability is not highly critical, but it is interesting as it targets a growing and popular class of technology - intelligent digital personal assistants. We've already seen weaknesses recently in Alexa due to third-party application issues. More of these types of problems will start to appear, most likely, in the years to come."

The usual major security flaw in Adobe Flash Player was fixed in an out-of-band patch last week.