Microsoft has addressed 77 vulnerabilities in its July Patch Tuesday update, with 15 of them rated as critical and two known to be under active exploit; and Adobe issued a small group of updates, with surprisingly none for Acrobat Reader or Flash.
Eleven of the critical bugs are for scripting engines and browsers, and the four others affect the DHCP Server, GDI+, the .NET Framework and the Azure DevOps Server/Team Foundation Server.
“Scripting engine, browser, GDI+, and .NET Framework patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser,” according to Patch Tuesday commentary from Qualys. “This includes multi-user servers that are used as remote desktops for users.”
The Microsoft ChakraCore Scripting Engine, Internet Explorer 11 and Microsoft Edge all have a memory corruption vulnerability in their scripting engine (CVE-2019-1001) that could lead to RCE.
“The vulnerability exists in the way that the memory handles objects in memory and successful exploitation could allow an attacker to execute arbitrary code,” said Allan Liska, intelligence analyst at Recorded Future, via email. “At this point it is almost expected to find a monthly memory corruption vulnerability in the scripting engine Microsoft browsers, as it is still a prime target for attackers who weaponize these vulnerabilities quickly.”
On the server side, the DHCP Server bug (CVE-2019-0785) is a remote code-execution (RCE) flaw that exists when the server is configured for failover; an attacker with network access to the failover DHCP server could run arbitrary code. It affects all versions of Windows Server from 2012 to 2019. A very similar vulnerability, CVE-2019-0725, was patched in May.
“One of the most critical vulnerabilities this month is present in Microsoft DHCP Server,” said Liska. “This memory corruption vulnerability…allows an attacker to send a specially crafted packet to a DHCP server and, if successful in exploitation, execute arbitrary code.”
And finally, Azure DevOps Server/Team Foundation Server Azure DevOps Server and Team Foundations Server (TFS) are affected by an RCE vulnerability (CVE-2019-1072) that can be exploited through malicious file uploads.
“Anyone who can upload a file can run code in the context of the Azure DevOps/TFS account,” according to Qualys. “This includes anonymous users if the server is configured to allow it. This patch should be prioritized for any Azure DevOps or TFS installations.”
Liska meanwhile noted that successful exploits of this vulnerability require the targeted project to allow anonymous file submissions.
“If an attacker submitted a specially crafted file to the target project as an anonymous user, they would be able to execute arbitrary code on the target server,” he said. “Azure has not been a big target for exploitation in the past, but this is a vulnerability that should be quickly patched due to the ease with which this vulnerability could be exploited at scale.”
Actively Exploited Privilege-Escalation Bugs
The software giant also released important-level patches for two privilege-escalation vulnerabilities in Win32k and splwow64, which are being actively exploited in the wild. Qualys said that the patches, though labeled as important, should be prioritized since they could be chained with other vulnerabilities to provide an attacker with complete system access. In other words, once they have elevated their privilege level, attackers could exploit another vulnerability to allow them to execute code.
The Win32 flaw (CVE-2019-1132) affects Windows 7, Server 2008 and Server 2008 R2.
“While an attacker would have to gain log on access to the system to execute the exploit, the vulnerability if exploited would allow the attacker to take full control of the system,” said Chris Goettl, director of product management for security at Ivanti, via email.
Meanwhile, the bug in splwow64 (CVE-2019-0880), which is the print driver host for 32-bit applications, would allow an attacker to go from low to medium-integrity privileges. If the patch can’t be deployed immediately, the vulnerability can be mitigated by disabling the print spooler. It affects Windows 8.1, Server 2012 and later OS.
Outlook, Linux SACK and Advisories Worth Noting
Microsoft also issued two notable advisories, one for Outlook on the web and the other for the known Linux kernel vulnerabilities that were disclosed in June – along with a few other patches that administrators should prioritize, according to researchers.
A cross-site scripting vulnerability in Outlook on the web (formerly OWA) would allow an attacker to send a malicious SVG file to a target in order to exploit it. However, success requires the targeted user to open the image file directly by dragging it to a new tab or pasting the URL into a new tab.
“While this is an unlikely attack scenario, Microsoft recommends blocking SVG images,” according to Qualys.
Several denial-of-service (DoS) vulnerabilities meanwhile were reported in June for the Linux kernel (CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479). Three related flaws were found in the Linux kernel’s handling of TCP networking; the first two are related to TCP Selective Acknowledgement (SACK) packets combined with the Maximum Segment Size parameter, and the third solely with the Maximum Segment Size parameter. The most severe vulnerability (CVE-2019-11477, dubbed SACK Panic) impacts Linux kernels 2.6.29 versions and above. It could allow a remote attacker to trigger a kernel panic in systems running the affected software and, as a result, impact the system’s availability.
Microsoft’s advisory details the impact of the kernel bugs on its systems.
Also of note is a patch for an SQL Server RCE flaw (CVE-2019-1068). This vulnerability is ranked as important, and does require authentication – however, it could also be chained with SQL injection to allow an attacker to completely compromise the server, according to Qualys, so should be prioritized.
And, one of the other patches that researchers said is worth highlighting is CVE-2019-0887, a medium-level vulnerability against Remote Desktop Services (RDS) that was disclosed by Check Point last month. The bug exists in how RDS handles clipboard redirection, according to Liska. It requires an attacker to have access to an RDS server; when a victim connects to that server, an attacker can exploit the vulnerability to execute arbitrary code on the victim system. The bug affects all versions of Windows from Windows 7 to 10, and Windows Server 2008 to 2019.
Adobe July Patch Tuesday Updates
Adobe meanwhile issued patches for Bridge CC, Experience Manager and Dreamweaver. Experience Manager is patched for three vulnerabilities, while Bridge and Dreamweaver each have one.
None are labeled as critical, and the highest rated vulnerability for each software package is labeled as important.
“Adobe released three patches for July, but surprisingly, none are for Adobe Flash or Acrobat Reader,” said Dustin Childs, researcher with Trend Micro’s Zero-Day Initiative (ZDI), in a blog. “Instead, a total of five CVEs are addressed by fixes for Adobe Bridge, Experience Manager, and Dreamweaver. The CVE corrected by the Bridge patch fixes an information disclosure bug and was reported through the ZDI program. The Experience Manager patch is the largest this month, with three CVEs referenced. All are input validation bugs. The patch for Dreamweaver corrects a single DLL-loading issue. None of these bugs are listed as being publicly known or under active attack at the time of release.”
Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More