News

Microsoft July Security Release Addresses 16 Critical Vulnerabilities

Microsoft on Tuesday released its July security patch bundle, which addresses about 77 common vulnerabilities and exposures (CVEs) across various Microsoft products.

The July bundle includes patches for 16 vulnerabilities that were rated "Critical," along with 60 rated "Important" plus one rated "Moderate," according to a tally compiled in Cisco's Talos blog. Two of the vulnerabilities have already been exploited. Six vulnerabilities were publicly disclosed beforehand, implying greater risk for organizations and individuals.

Of the two exploited vulnerabilities, CVE-2019-0880 describes an Important vulnerability in the splwow64 printer host driver affecting Windows 8.1, Windows Server 2012 and later operating systems, according to analysis by Chris Goettl, director of product management for security at Ivanti. It's a potential elevation-of-privilege exploit that could enable code execution on a system. CVE-2019-1132, the other exploited vulnerability getting a patch this month, affects the Win32k system process in Windows 7, Windows Server 2008 and Windows Server 2008 R2. It also could lead to an elevation-of-privilege exploit, but an attacker could "take full control of the system" if successful, Goettl indicated, in an e-mail.

The six publicly disclosed vulnerabilities are as follows, according to a review by Dustin Childs of Trend Micro's Zero Day Initiative:

  • CVE-2018-15664 is an Important vulnerability in open source Docker software that was publicly disclosed in May 2019 (despite its 2018 nomenclature) that "could give attackers arbitrary read-write access to the host filesystem with root privileges," according to Childs, adding that "a true fix isn’t available yet."
  • CVE-2019-0865 is an Important SymCrypt vulnerability in the Windows crypto library, where the patch addresses a potential denial-of-service vulnerability.
  • CVE-2019-0887 is an Important Remote Desktop Services vulnerability that could lead to remote code execution.
  • CVE-2019-0962 is an Important Azure Automation service vulnerability.
  • CVE-2019-1068 is an Important SQL Server vulnerability, triggered via a "specially crafted query," that could enable remote code execution.
  • CVE-2019-1129 is an Important Windows vulnerability potentially leading to elevation of privilege.

Childs also noted that there are two advisories issued by Microsoft this month. ADV190021 is about an Important cross-site scripting vulnerability affecting Outlook on the Web applications. There's no patch, but Microsoft is recommending blocking images in SVG (Scalable Vector Graphics) format in Outlook on the Web. The exploit scenario is "a bit convoluted," though, according to Childs. ADV990001 is an advisory describing the latest Windows servicing stack updates that need to be applied. These servicing stack updates are needed to make the Windows update system work.

Microsoft summarizes the products that are affected by the July security updates at this "Release Notes" page. A line-by-line list of the July updates, totaling 63 pages, can be found at Microsoft's Security Update Guide site.

IT pros may also find the patch Tuesday compilation by Morphus Labs helpful. It shows patch details in dashboard form. Vulnerabilities are listed by their Common Vulnerability Scoring System rankings.

Goettl noted that Adobe and Mozilla also released patches this week. Oracle will deliver its security patches next Tuesday. Since Java 11 now contains JRE components, developers will "need to update their version of the JDK and build the application again to include the new JRE components if any were vulnerable," he noted. Ivanti plans to describe more during its Patch Tuesday talk, which is scheduled for July 10 (sign-up here).

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.

Featured

  • Azure Active Directory ID Protection 'Refresh' Now Available

    Microsoft's enhancements to the Azure Active Directory Identity Protection service are now said to be "generally available" (GA), or ready for commercial use, per a Wednesday announcement.

  • Microsoft Releases Windows 10 Version 1909

    Microsoft on Tuesday announced the release of Windows 10 version 1909, a new operating system product that's also known as the "Windows 10 November 2019 Update."

  • November Microsoft Security Bundle Addresses 75 Vulnerabilities

    Of that number, 13 vulnerabilities are rated "Critical" to patch, while 62 vulnerabilities are deemed "Important."

  • The Future of Office 365 Pricing

    With a raft of new Office 365 features in the pipeline, Microsoft also seems ready to change the way it bills its subscribers. Will it replicate Azure's pay-per-use model, or will it look like something else entirely?

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.