Virtual Administrator’s July 2019 Patch Recommendations
This month Microsoft released patches for 77 vulnerabilities with 16 rated “Critical”, 60 as “Important”, and 1 “Moderate”.
All July patches have been approved in our patch policy.
Remarkably there is no Adobe Flash update this month. Two-thirds of this month’s critical vulnerabilities are in Microsoft’s browsers. There are 2 zero-day flaws this month CVE-2019-1132 and CVE-2019-0880. These are “elevation of privilege” vulnerabilities. There are reports that CVE-2019-0880 is already being exploited. A DHCP vulnerability (CVE-2019-0785) exists in most supported versions of Windows server using a DHCP failover server. Remote Desktop Services (RDP) has a remote code execution flaw (CVE-2019-0887). Patches for the above are included in the Cumulative Update/Monthly Rollup.
SHA-2 Code Signing Support becomes mandatory on Windows 7 and Server 2008/2008R2. Per the “Heads Up” link below these patches were released over the past few months and should already be installed. Enforcement starts this month.
More SSUs this month and new .NET Framework updates but no widely reports issues with either.
FYI [ADV990001] – New Servicing Stack Updates (SSU) for Windows 10, 8.1 and Server 2012/2012R2
Heads Up! 2019 SHA-2 Code Signing Support requirement for Windows and WSUS
“Customers running legacy OS versions (Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2) will be required to have SHA-2 code signing support installed on their devices by July 2019.”
Disclosed: CVE-2019-0865, CVE-2019-0887, CVE-2019-0962, CVE-2019-1129, CVE-2018-15664 and CVE-2019-1068
Exploited: CVE-2019-0880
Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com
Affected software include:
- Microsoft Windows
- Internet Explorer
- Microsoft Edge
- Microsoft Office and Microsoft Office Services and Web Apps
- Azure DevOps
- Open Source Software
- .NET Framework
- Azure
- SQL Server
- ASP.NET
- Visual Studio
- Microsoft Exchange Server
Microsoft Security Advisories
ADV990001 | Latest Servicing Stack Updates (Published: 11/13/2018|Last Updated: 07/09/2019)
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001
This is a list of the latest servicing stack updates for each operating system. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
ADV190021 | Outlook on the web Cross-Site Scripting Vulnerability (Published: 07/09/2019)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190021
A cross-site scripting vulnerability has been discovered that affects Outlook on the web (formerly known as Outlook Web App) on-premise deployments. To exploit this vulnerability, an attacker must send a victim an email containing custom HTML content. The victim must then drag and drop an image that was included in the email into a new browser tab. Alternatively, a victim could paste the URL of the image into a new browser tab. The vulnerability requires that the image be sent in SVG format.
Microsoft is addressing this vulnerability by recommending that administrators for Outlook on the web block SVG images. See the Mitigations section for instructions.
Known Issues per Microsoft
Good resource for known issues with Windows 10 patches. Click on the version in the left column for the status of known issues.
Windows 10 release information
https://docs.microsoft.com/en-us/windows/release-information/
There is only 1 new known issues this month that affects the Window-Eyes screen reader app. It is listed in all the cumulative/rollup patches and in the standalone Security Update for Internet Explorer.
Again Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will now.
Known Issues by product
Window-Eyes screen reader
Symptom: After installing this update, opening or using the Window-Eyes screen reader app may result in an error and some features may not function as expected.
Note Users who have already migrated from Window-Eyes to Freedom Scientific’s other screen reader, JAWS, should not be affected by this issue.
Workaround: None
Status: Microsoft is working on a resolution and will provide an update in an upcoming release.
Monthly Rollup/Security Only/Windows 10/Server 2016,2019 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.
Security and Quality Rollup
- KB4507449 – Windows 7, Windows Server 2008 R2
- KB4507448 – Windows 8.1, Windows Server 2012 R2
- KB4507462 – Windows Server 2012
- KB4507452 – Windows Server 2008
Security Only Update
- KB4507456 – Windows 7, Windows Server 2008 R2
- KB4507457 – Windows 8.1, Windows Server 2012 R2
- KB4507464 – Windows Server 2012
- KB4507461 – Windows Server 2008
Cumulative Update for Windows 10
- KB4507458 – Original release version 1507 (OS Build 10240)
- None – Version 1511 (OS Build 10586)
- KB4507460 – Version 1607 “Anniversary Update” (OS Build 14393)
- KB4507450 – Version 1703 “Creators Update” (OS Build 15063)
- KB4507455 – Version 1709 “Fall Creators Update” (OS Build 16299)
- KB4507435 – Version 1803 “Spring Creators Update” (OS Build 17134)
- KB4507469 – Version 1809 “October 2018 Update” (OS Build 17763)
- KB4507453 – Version 1903 “May 2019 Update” (OS Build 18362)
Note: Server 2016 uses the same KB as Windows 10 Version 1607. Server 2019 uses the same KB as Windows 10 Version 1809.
KB4507434 – Cumulative Security Update for Internet Explorer 9/10/11
This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.
None – Security Update for Adobe Flash Player
.NET Framework July 2019 Security and Quality Rollup
https://devblogs.microsoft.com/dotnet/net-framework-july-2019-security-and-quality-rollup/
July 2019 updates for Microsoft Office
https://support.microsoft.com/en-us/help/4509295/july-2019-updates-for-microsoft-office
Notable CVEs
CVE-2019-0865 | SymCrypt Denial of Service Vulnerability (Cumulative Update)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0865
A denial of service vulnerability exists when SymCrypt improperly handles a specially crafted digital signature.
An attacker could exploit the vulnerability by creating a specially crafted connection or message.
The security update addresses the vulnerability by correcting the way SymCrypt handles digital signatures.
CVE-2019-0785 | Windows DHCP Server Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0785
A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server. An attacker who successfully exploited the vulnerability could either run arbitrary code on the DHCP failover server or cause the DHCP service to become nonresponsive.
To exploit the vulnerability, an attacker could send a specially crafted packet to a DHCP server. However, the DHCP server must be set to failover mode for the attack to succeed.
The security update addresses the vulnerability by correcting how DHCP failover servers handle network packets.
CVE-2019-0880 | Microsoft splwow64 Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0880
A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity.
This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted.
CVE-2019-0887 | Remote Desktop Services Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0887
A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an authenticated attacker abuses clipboard redirection. An attacker who successfully exploited this vulnerability could execute arbitrary code on the victim system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker must already have compromised a system running Remote Desktop Services, and then wait for a victim system to connect to Remote Desktop Services.
The update addresses the vulnerability by correcting how Remote Desktop Services handles clipboard redirection.
CVE-2019-1132 | Win32k Elevation of Privilege Vulnerability (Monthly Rollup)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1132
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The update addresses this vulnerability by correcting how Win32k handles objects in memory.