Automox Patch Tuesday Breakdown: July 2019

Welcome to July's Automox Patch Tuesday Breakdown. This month, Microsoft will be rolling out fixes for security flaws with Windows 10, as well as cumulative updates for Windows 8.1 and Windows 7. In total, there are 77 vulnerabilities to patch for this month – including two zero days.

Microsoft recommends patching for vulnerabilities as soon as possible. And this month, there are 15 critical security flaws that need to be addressed. Unpatched vulnerabilities are a primary driver of data breaches, yet failure to patch remains a significant problem for many organizations. Patching is key to minimizing your attack surface and making your network a “smaller target” for would-be attackers.

July's Patch Tuesday covers two zero days – vulnerabilities that are actively being exploited by malicious actors. After issuing the largest security update in a year last month, the finding of multiple zero-day vulnerabilities is a clear reminder that timely patching is essential for good cyber hygiene.

See last month's breakdown to learn more about June's Patch Tuesday update.

Microsoft Patches For Zero Days

This month, Microsoft has released two zero-day vulnerability patches. Both vulnerabilities involve privilege escalation issues. If attackers exploit these vulnerabilities, they can escalate their privileges to gain further access to systems. The two zero-days are:

CVE-2019-1132 - Win32k Elevation of Privilege Vulnerability
CVE-2019-0880 - Microsoft splwow64 Elevation of Privilege Vulnerability

While privilege escalation attacks will not allow a malicious actor to gain control of computers remotely, they can be used after an attacker has gained access to a system to elevate access rights during post-exploitation. As Qualys explains, these flaws can be synced up with other vulnerabilities to give an attacker complete access to your network. Given that these are zero-day vulnerabilities, patching sooner rather than later is strongly recommended. While Microsoft has marked these vulnerabilities as “important,” the fact that they are being exploited in the wild means they should be a top priority.

CVE-2019-1132 was discovered by ESET, and was reportedly part of an attack chain deployed by a Russian government-funded group. This vulnerability affects Windows 7 and  Windows Server 2008.

This escalation of privileges vulnerability occurs when the Win32k component fails to handle objects in memory correctly. Attackers can exploit this vulnerability and run arbitrary code in kernel mode. From there, malicious actors can install programs and create new accounts with full user rights. Exploitation would also allow them to view, change or delete data.

CVE-2019-0880 is a privilege escalation issue involving splwow64.exe and how it handles calls. While attackers cannot solely use this vulnerability to run arbitrary code, combining CVE-2019-0880 with other vulnerabilities can open the doors to arbitrary code execution. This vulnerability affects Windows 10, Windows 8.1 and multiple versions of Server 2012, 2016 and 2019.

More Important Updates From Microsoft

This month's Patch Tuesday also saw the release of patches for six publicly disclosed vulnerabilities. These include:

CVE-2018-15664 – Docker flaw in Azure
CVE-2019-0865  – SymCrypt DoS
CVE-2019-0887 – RDP Remote Code Execution
CVE-2019-0962 – Azure Automation elevation of privilege
CVE-2019-1068 – Microsoft SQL Server Remote Code Execution
CVE-2019-1129 – Windows Elevation of Privilege

Because the details of these vulnerabilities were made public, they could be more likely to be exploited by malicious actors. On top of these, there are another 15 critical security fixes for July.

Windows 7, Windows 8.1 and all versions of Windows 10 are affected by the same critical vulnerability:

CVE-2019-1102 – GDI+ Remote Code Execution

This is a remote code execution vulnerability in the way Windows Graphic Design Interface handles objects in memory. There are multiple ways for malicious actors to exploit this vulnerability. Successful exploitation could allow attackers to gain control of your system – permitting them to install programs and create new accounts with full user rights, as well as view, alter or delete data.

This issue is corrected by modifying how GDI handles objects in memory.

Server 2008 R2, Server 2012 R2, Server 2016 and Server 2019 are also affected by CVE-2019-1102. Servers 2012 R2, 2016 and 2019 are also affected by an additional vulnerability:

CVE-2019-0785 – Windows DHCP Server Remote Code Execution Vulnerability

This is a memory corruption vulnerability in Windows Server DHCP which occurs when a malicious actor “sends specially crafted packets to a DHCP failover server.” Correcting how DHCP failover servers handle network packets addresses this issue.

All versions of Windows are affected by at least one critical vulnerability, and security updates have been issued for a bevy of products from the company.

Other Updates For July

Azure DevOps Server and Team Foundation Server (TFS) are also getting an update for a remote code execution vulnerability this month.

CVE-2019-1072 – Azure DevOps Server/ TFS Remote Code Execution

This vulnerability exists when the servers fail to handle user input properly, which could allow attackers to execute remote code on the target server. All a bad actor has to do is submit a malicious file to the affected server – and if anonymous access to projects on the server is allowed, authentication wouldn't even be required. The update from Microsoft resolves this issue by correcting how the servers handle certain files.

Microsoft Edge and Internet Explorer 11 are also receiving updates to address remote code execution vulnerabilities, the bulk of which involve issues with scripting engine memory corruption. There are 13 critical vulnerabilities between these two products alone.

For Internet Explorer, these include: CVE-2019-1001, -1004, -1056, -1059, -1063, and -1104.

And for Chakra: CVE-2019-1062, -1092, -1103, -1106, and -1107

Adobe has also issued multiple patches for July. There are three updates for Bridge CC that are available, two of which are ranked as important. Dreamweaver and ExperienceManager each got one “important” update, as well. None of the vulnerabilities patched this month have been rated critical.

July's Patch Tuesday continues the wave of critical security updates we've seen the last few months. With two zero days and over a dozen critical vulnerabilities to address, patching remains one of the best ways to minimize your attack surface. Automated patch management can streamline the process and help you ensure patches are deployed across every device on your network.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-based and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-based patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.