July 2019 Patch Tuesday: Microsoft plugs two actively exploited zero-days
For July 2019 Patch Tuesday, Microsoft has pushed out patches for 78 CVE-numbered vulnerabilities (15 of them critical) and Adobe for three, but none of them in its most widely used software.
Adobe patches
It’s unusual to see no patches for Flash or Acrobat/Reader, but I suppose it had to happen sometimes. Instead, Adobe released patches for flaws in:
- Dreamweaver (a privilege escalation flaw in the software’s installer)
- Bridge CC (an information disclosure flaw that can be triggered via malformed SVG images)
- Experience Manager (three flaws that could lead to disclosure of sensitive information).
None of these are critical nor exploited in the wild.
Microsoft patches
Of the 78 flaws fixed, two are under active exploitation: CVE-2019-0880 and CVE-2019-1132.
The former has been flagged by Resecurity and the latter by ESET. Both can be used by attackers to elevate their privileges on target machines, but the latter apparently only works on older Windows versions (Windows 7 and Server 2008).
Other vulnerabilities of special note include:
CVE-2019-1068 – a remote code execution flaw that can be triggered by a specially crafted query sent to a vulnerable SQL server.
“This vulnerability is ranked as Important, and does require authentication. However, [it] could be chained with SQL injection to allow an attacker to completely compromise the server,” notes Jimmy Graham, Senior Director of Product Management at Qualys.
CVE-2019-0865 – a denial of service vulnerability in SymCrypt, the library used by Windows to .handle cryptographic functions on Windows.
“Using a specially-crafted digital signature, an attacker could exploit this flaw by embedding the signature in a message or as part of a secure connection request. This vulnerability was publicly disclosed in June by Google Project Zero researcher Tavis Ormandy,” says Satnam Narang, senior research engineer at Tenable.
CVE-2019-0887 – a RCE flaw in Remote Desktop Services. To exploit it, the attacker must already have compromised a system running Remote Desktop Services, and then wait for a victim system to connect to Remote Desktop Services.
“This vulnerability was first published in a blog on Reverse RDP attacks in February 2019 which included one CVE that did not receive a CVE-ID,” Narang noted.
CVE-2018-15664 – an elevation of privilege flaw in Docker runtime (and the underlying community project, Moby). Technically, no fix for it is yet available.
“There is a pull request in review to fix this vulnerability. After the fix is merged in the upstream Moby project, we will build and release a new Moby build for use with AKS. For Azure IoT Edge customers, we will make the fixed Moby packages available along with installation instructions,” Microsoft explained.
Until that happens, Microsoft recommends that customers refrain from allowing the use of the Docker copy command on their AKS clusters and Azure IoT Edge devices.
According to Graham, enterprise admins should also prioritize:
- Scripting Engine, Browser, GDI+, and .NET Framework patches for workstation-type devices (i.e., any system that is used for email or to access the internet via a browser) and multi-user servers that are used as remote desktops for users.
- The patch for CVE-2019-1072, a RCE exploitable through malicious file uploads, affecting Azure DevOps Server and Team Foundations Server.
UPDATE (July 10, 2019, 2:43 a.m. PT):
ESET has shared more information about CVE-2019-1132 and has explained why the exploit works only on older Windows versions.
“People who still use Windows 7 for 32-bit systems Service Pack 1 should consider updating to newer operating systems, since extended support of Windows 7 Service Pack 1 ends on January 14th, 2020. Which means that Windows 7 users won’t receive critical security updates. Thus, vulnerabilities like this one will stay unpatched forever,” ESET researcher Anton Cherepanov noted.