The July 2019 Security Update Review

July has arrived and so have the scheduled security patches from Microsoft and Adobe. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for July 2019

Adobe released three patches for July, but surprisingly, none are for Adobe Flash or Acrobat Reader. Instead, a total of five CVEs are addressed by fixes for Adobe Bridge, Experience Manager, and Dreamweaver. The CVE corrected by the Bridge patch fixes an information disclosure bug and was reported through the ZDI program. The Experience Manager patch is the largest this month with three CVEs referenced. All are input validation bugs. The patch for Dreamweaver corrects a single DLL-loading issue. None of these bugs are listed as being publicly known or under active attack at the time of release.

Microsoft Patches for July 2019

This month, Microsoft released security patches for 78 CVEs and two advisories. The updates cover Microsoft Windows, Internet Explorer, Office and Office Services and Web Apps, Azure DevOps, Azure, .NET Framework, ASP.NET, Visual Studio, SQL Server, Exchange Server, and Open Source Software. Yes – Open Source Software (more on that below). Of these 78 CVEs, 15 are rated Critical, 62 are rated Important, and one is rated Moderate in severity. A total of 13 of these CVEs came through the ZDI program. Six of these bugs are listed as publicly known, and two are listed as under active attack at the time of release.

Let’s take a closer look at some of the more interesting patches for this month, starting with the bugs being exploited: 

-       CVE-2019-0880 – Microsoft splwow64 Elevation of Privilege Vulnerability
This patch corrects an elevation of privilege (EoP) bug in splwow64, which is the print driver host for 32-bit applications. Microsoft lists this as being actively exploited, but only on older systems. If successfully exploited, an attacker could go from low to medium-integrity. If you can’t deploy the patch immediately, you should be able to mitigate this vulnerability by disabling the print spooler.

-       CVE-2019-1132 – Win32k Elevation of Privilege Vulnerability
The other bug under active attack this month is also an EoP, this time in the Windows kernel. An attacker with access to an affected system could use this vulnerability to execute their code with kernel-level privileges. This type of bug is often used by malware to stay resident on a system. Again, there are no indications from Microsoft on how broadly this is being used, but it appears to be more on the targeted side for now.

-       CVE-2019-0865 –  SymCrypt Denial of Service Vulnerability
This is one of the publicly known bugs this month, and it has already received quite a bit of attention. SymCrypt is Windows’ primary crypto library for symmetric algorithms. The patch corrects a Denial-of-Service (DoS) vulnerability that could allow an attacker to effectively shut down a Windows system by sending a specially crafted X.509 certificate. Microsoft gives this a 2 on its Exploit Index (XI), which means they feel exploitation is unlikely. However, proof of concepts are already publicly available.

-       CVE-2019-1068 – Microsoft SQL Server Remote Code Execution Vulnerability
Another of the publicly known bugs, this patch corrects a bug in SQL Server that could allow code execution if an attacker sends a specially crafted query to an affected SQL server. A successful exploit would execute code at the level of the Database Engine account. It doesn’t provide you keys to the kingdom, but it does have elevated privileges. The update also impacts SQL Server 2017 on Linux and Linux Docker Containers. Considering SQL Servers are generally part of an enterprise’s critical infrastructure, definitely test and deploy this patch to your SQL Servers quickly.

-       CVE-2018-15664 – Docker Elevation of Privilege Vulnerability
This publicly known bug actually affects open source software. A vulnerability in Docker could give attackers arbitrary read-write access to the host filesystem with root privileges. This is caused by the API endpoint behind the “docker cp” command being affected by a symlink-exchange attack with Directory Traversal. Despite the 2018 CVE, this was only publicly disclosed in May. Unfortunately, a true fix isn’t available yet. While there is a pull request in review to fix this vulnerability, the only guidance for users is to avoid using the Docker copy command on their AKS clusters and Azure IoT Edge devices.

 Here’s the full list of CVEs released by Microsoft for July 2019.

The other publicly known bugs patched this month involve Remote Desktop Services (RDS), Azure, and Windows. The RDS bug is much less severe than the wormable RDS bug from May. This month’s bug allows an authenticated attacker to abuse clipboard redirection, which means an attacker needs to have already compromised systems running RDS. The dire sounding “Windows Elevation of Privilege Vulnerability” is really a problem with the Windows AppX Deployment Service (AppXSVC). It appears to be similar, but unrelated, to the AppXSVC patch released last month.

The publicly-known Azure bug could allow an attacker to access KeyVault secrets through a runbook, which does mean the attacker must be a member of an organization who can run runbooks. Rather than patch this vulnerability, Microsoft has provided scripts here and here for existing RunAsAutomation accounts that modifies the existing roles by excluding access to KeyVault within Azure Automation account.

Looking at the Critical-rated vulnerabilities patched for July, 11 of the 15 are related to web browsers. There’s an RCE in the DHCP server when receiving specially crafted packets, but the DHCP server needs to be set to failover mode for an attack to succeed. An RCE also exists in the GDI+ library that opens a system to an open-and-own or browse-and-own scenario. The Azure DevOps Server and Team Foundation Server each have an RCE that could occur when an attacker submits a specially crafted file to an affected server. This could be done without authentication if you set your server to allow anonymous uploads, but you wouldn’t do that. The final RCE addressed this month is a bug in the .NET Framework. Code execution could occur if an attacker can convince a user to open a specially crafted file with an affected version of .NET Framework. 

Other notable patches this month include updates to address two separate bugs in the Windows DNS server. The first is a remote DoS reached through a specially crafted query, but the server must be set to use DNS Analytical Logging for the attack to succeed. The other is a local privilege escalation (LPE) through the DNS Caching Resolver Service (dnsrlvr.dll). The Exchange Server also gets three patches this month. The first fixes a bug that could allow a man-in the-middle attack resulting in the impersonation of anyone on the Exchange server. The second is listed as spoofing, but manifests as a cross-site scripting (XSS) bug. The final patch affects Exchange plus Outlook, Lync, and Skype for Business. By creating entities with Display Names with non-printable characters on an Exchange server, an attacker could surreptitiously add such entities to conversations without being noticed. Also note the update for Office for Mac and Outlook iOS are not yet available. Outlook for Android does receive an updated version to correct an XSS bug. You can download it through the Google Play store.

The Microsoft Graphics media components receive a combined 25 patches in July, correcting a mix of RCE, LPE, and information disclosure bugs. Addressing info disclosure bugs isn’t always exciting, but fixing them usually makes it more difficult for attackers to leak the memory location needed for further exploitation. Office also receives a few patches to correct mostly Excel bugs. The Windows Kernel also receives its monthly stipend of new patches.

Rounding out this month’s release, the .NET Framework receives a few updates. The most notable involves bypassing Security Assertions Markup Language (SAML) tokens and impacts multiple components. An attacker could impersonate another user by signing a SAML token with an arbitrary symmetric key. There are updates to .NET, Windows, Microsoft Identity Module, SharePoint, and NuGet, and yes – you’ll need all applicable updates for your system to completely resolve this vulnerability. ASP.NET and Visual Studio also receive a few less exciting patches.

The new advisory for this month addresses an XSS bug in Outlook for the web (née Outlook Web Access). The exploit scenario is a bit convoluted and would require quite a bit of social engineering, but there is no patch. Instead, Microsoft is recommending administrators block SVG images. The other advisory for July is another update to the Windows Servicing Stack, which adds updates for Windows 10, Windows 8.1, Windows Server 2012 R2, and Windows Server 2012.

Looking Ahead

The next patch Tuesday falls on August 13, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!