News

Microsoft July Security Release Addresses 16 Critical Vulnerabilities

• By Kurt Mackie
• 07/09/2019

Microsoft on Tuesday released its July security patch bundle, which addresses about 77 common vulnerabilities and exposures (CVEs) across various Microsoft products.

The July bundle includes patches for 16 vulnerabilities that were rated "Critical," along with 60 rated "Important" plus one rated "Moderate," according to a tally compiled in Cisco's Talos blog. Two of the vulnerabilities have already been exploited. Six vulnerabilities were publicly disclosed beforehand, implying greater risk for organizations and individuals.

Of the two exploited vulnerabilities, CVE-2019-0880 describes an Important vulnerability in the splwow64 printer host driver affecting Windows 8.1, Windows Server 2012 and later operating systems, according to analysis by Chris Goettl, director of product management for security at Ivanti. It's a potential elevation-of-privilege exploit that could enable code execution on a system. CVE-2019-1132, the other exploited vulnerability getting a patch this month, affects the Win32k system process in Windows 7, Windows Server 2008 and Windows Server 2008 R2. It also could lead to an elevation-of-privilege exploit, but an attacker could "take full control of the system" if successful, Goettl indicated, in an e-mail.

The six publicly disclosed vulnerabilities are as follows, according to a review by Dustin Childs of Trend Micro's Zero Day Initiative:

• CVE-2018-15664 is an Important vulnerability in open source Docker software that was publicly disclosed in May 2019 (despite its 2018 nomenclature) that "could give attackers arbitrary read-write access to the host filesystem with root privileges," according to Childs, adding that "a true fix isn’t available yet."
• CVE-2019-0865 is an Important SymCrypt vulnerability in the Windows crypto library, where the patch addresses a potential denial-of-service vulnerability.
• CVE-2019-0887 is an Important Remote Desktop Services vulnerability that could lead to remote code execution.
• CVE-2019-0962 is an Important Azure Automation service vulnerability.
• CVE-2019-1068 is an Important SQL Server vulnerability, triggered via a "specially crafted query," that could enable remote code execution.
• CVE-2019-1129 is an Important Windows vulnerability potentially leading to elevation of privilege.

Childs also noted that there are two advisories issued by Microsoft this month. ADV190021 is about an Important cross-site scripting vulnerability affecting Outlook on the Web applications. There's no patch, but Microsoft is recommending blocking images in SVG (Scalable Vector Graphics) format in Outlook on the Web. The exploit scenario is "a bit convoluted," though, according to Childs. ADV990001 is an advisory describing the latest Windows servicing stack updates that need to be applied. These servicing stack updates are needed to make the Windows update system work.

Microsoft summarizes the products that are affected by the July security updates at this "Release Notes" page. A line-by-line list of the July updates, totaling 63 pages, can be found at Microsoft's Security Update Guide site.

IT pros may also find the patch Tuesday compilation by Morphus Labs helpful. It shows patch details in dashboard form. Vulnerabilities are listed by their Common Vulnerability Scoring System rankings.

Goettl noted that Adobe and Mozilla also released patches this week. Oracle will deliver its security patches next Tuesday. Since Java 11 now contains JRE components, developers will "need to update their version of the JDK and build the application again to include the new JRE components if any were vulnerable," he noted. Ivanti plans to describe more during its Patch Tuesday talk, which is scheduled for July 10 (sign-up here).