Microsoft Patches Zero-Day Vulnerabilities Under Active Attack

Microsoft issued fixes for 77 unique vulnerabilities this Patch Tuesday, including two zero-day privilege escalation vulnerabilities seen exploited in the wild.

Kelly Sheridan, Former Senior Editor, Dark Reading

July 9, 2019

4 Min Read
Dark Reading logo in a gray background | Dark Reading

Microsoft today patched 77 vulnerabilities and issued two advisories as part of its July security update. Two of these bugs are under active attack; six were publicly known at the time fixes were released.

Of the CVEs fixed today, 15 were categorized as Critical, 62 were rated Important, and one was ranked Moderate in severity. Patches address vulnerabilities in a range of Microsoft services including Microsoft Windows, Internet Explorer, Office and Office Services and Web Apps, Azure, Azure DevOps, .NET Framework, Visual Studio, SQL Server, ASP.NET, Exchange Server, and Open Source Software.

One of the vulnerabilities under active attack is CVE-2019-1132, a Win32k elevation of privilege flaw that exists when the Win32k component fails to properly handle objects in memory. Successful exploitation could lead to arbitrary code execution in kernel mode, which is normally reserved for trusted OS functions. An attacker would need access to a target system to exploit the bug and elevate privileges.

The other flaw seen exploited in the wild is CVE-2019-0880, another elevation of privilege vulnerability that exists in how splwow64.exe handles certain calls. On its own, the bug doesn't enable arbitrary code execution, but it could allow arbitrary code to run if an attacker uses it in combination with another bug, such as a remote code execution bug or another elevation of privilege flaw. Given it's under attack, it's likely this was paired with a second vulnerability, but Microsoft has not shared details on this.

"These patches, though labeled as Important, should be prioritized, as they could be chained with other vulnerabilities to provide an attacker with complete system access," says Qualys' patch management expert Jimmy Graham.

Graham also points to CVE-2019-0785, a Critical memory corruption vulnerability that exists in Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server. An attacker with network access to the failover DHCP could run arbitrary code, he explains, noting that this patch should be prioritized for any organizations with systems running DHCP in failover mode.

"One of the most critical vulnerabilities this month is present in Microsoft DHCP server," says Allan Liska, intelligence analyst for Recorded Future. "This memory corruption vulnerability affects all versions of Windows Server from 2012 - 2019 and it is remotely exploitable." Recorded Future hasn't seen the bug being abused in the wild, he continues, and it doesn't appear to be a widely exploited flaw. "That does not mean organizations should not prioritize patching this vulnerability," Liska says.

Another worth noting is publicly known vulnerability CVE-2019-1068, a remote code execution flaw that exists in Microsoft's SQL Server when it incorrectly handles processing of internal functions. An attacker who successfully exploited this could execute code in the context of the SQL Server Database Engine service account, which they could do by sending a specially crafted query to an affected SQL server.

CVE-2019-1068 is categorized as Important, and it does require authentication, Graham points out. However, it could be chained with SQL injection to let an attacker completely compromise the server.

Satnam Narang, senior research engineer at Tenable, also points to CVE-2019-0887, a publicly known remote code execution vulnerability in Remote Desktop Services, formerly known as Terminal Services. "Exploitation of this vulnerability could result in arbitrary code execution, but requires an attacker to have already compromised a target system," he explains. A successful attacker would have to first gain access to a system running RDS then wait for a victim system to connect to RDS. When the victim connects to the server, the attacker can exploit the bug to execute code on the victim's system.

Microsoft patched four more publicly known bugs: Docker elevation of privilege vulnerability CVE-2018-15664; SymCrypt denial of service vulnerability CVE-2019-0865; Azure automation elevation of privilege vulnerability CVE-2019-0962; and Windows elevation of privilege vulnerability CVE-2019-1129.

Two advisories were also published today: one warns of a cross-site scripting vulnerability in Outlook on the Web. Another advisory alerts users to a Servicing Stack Update for all supported versions of Windows 10, Windows 8.1, Windows Server 2012 R2, and Windows Server 2012.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

About the Author

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights