Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/9/2019
04:20 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft Patches Zero-Day Vulnerabilities Under Active Attack

Microsoft issued fixes for 77 unique vulnerabilities this Patch Tuesday, including two zero-day privilege escalation vulnerabilities seen exploited in the wild.

Microsoft today patched 77 vulnerabilities and issued two advisories as part of its July security update. Two of these bugs are under active attack; six were publicly known at the time fixes were released.

Of the CVEs fixed today, 15 were categorized as Critical, 62 were rated Important, and one was ranked Moderate in severity. Patches address vulnerabilities in a range of Microsoft services including Microsoft Windows, Internet Explorer, Office and Office Services and Web Apps, Azure, Azure DevOps, .NET Framework, Visual Studio, SQL Server, ASP.NET, Exchange Server, and Open Source Software.

One of the vulnerabilities under active attack is CVE-2019-1132, a Win32k elevation of privilege flaw that exists when the Win32k component fails to properly handle objects in memory. Successful exploitation could lead to arbitrary code execution in kernel mode, which is normally reserved for trusted OS functions. An attacker would need access to a target system to exploit the bug and elevate privileges.

The other flaw seen exploited in the wild is CVE-2019-0880, another elevation of privilege vulnerability that exists in how splwow64.exe handles certain calls. On its own, the bug doesn't enable arbitrary code execution, but it could allow arbitrary code to run if an attacker uses it in combination with another bug, such as a remote code execution bug or another elevation of privilege flaw. Given it's under attack, it's likely this was paired with a second vulnerability, but Microsoft has not shared details on this.

"These patches, though labeled as Important, should be prioritized, as they could be chained with other vulnerabilities to provide an attacker with complete system access," says Qualys' patch management expert Jimmy Graham.

Graham also points to CVE-2019-0785, a Critical memory corruption vulnerability that exists in Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server. An attacker with network access to the failover DHCP could run arbitrary code, he explains, noting that this patch should be prioritized for any organizations with systems running DHCP in failover mode.

"One of the most critical vulnerabilities this month is present in Microsoft DHCP server," says Allan Liska, intelligence analyst for Recorded Future. "This memory corruption vulnerability affects all versions of Windows Server from 2012 - 2019 and it is remotely exploitable." Recorded Future hasn't seen the bug being abused in the wild, he continues, and it doesn't appear to be a widely exploited flaw. "That does not mean organizations should not prioritize patching this vulnerability," Liska says.

Another worth noting is publicly known vulnerability CVE-2019-1068, a remote code execution flaw that exists in Microsoft's SQL Server when it incorrectly handles processing of internal functions. An attacker who successfully exploited this could execute code in the context of the SQL Server Database Engine service account, which they could do by sending a specially crafted query to an affected SQL server.

CVE-2019-1068 is categorized as Important, and it does require authentication, Graham points out. However, it could be chained with SQL injection to let an attacker completely compromise the server.

Satnam Narang, senior research engineer at Tenable, also points to CVE-2019-0887, a publicly known remote code execution vulnerability in Remote Desktop Services, formerly known as Terminal Services. "Exploitation of this vulnerability could result in arbitrary code execution, but requires an attacker to have already compromised a target system," he explains. A successful attacker would have to first gain access to a system running RDS then wait for a victim system to connect to RDS. When the victim connects to the server, the attacker can exploit the bug to execute code on the victim's system.

Microsoft patched four more publicly known bugs: Docker elevation of privilege vulnerability CVE-2018-15664; SymCrypt denial of service vulnerability CVE-2019-0865; Azure automation elevation of privilege vulnerability CVE-2019-0962; and Windows elevation of privilege vulnerability CVE-2019-1129.

Two advisories were also published today: one warns of a cross-site scripting vulnerability in Outlook on the Web. Another advisory alerts users to a Servicing Stack Update for all supported versions of Windows 10, Windows 8.1, Windows Server 2012 R2, and Windows Server 2012.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5118
PUBLISHED: 2019-11-18
A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the boot loader module when measuring commandline parameters.
CVE-2019-12422
PUBLISHED: 2019-11-18
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2012-4441
PUBLISHED: 2019-11-18
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.
CVE-2019-10764
PUBLISHED: 2019-11-18
In elliptic-php versions priot to 1.0.6, Timing attacks might be possible which can result in practical recovery of the long-term private key generated by the library under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which m...
CVE-2019-19117
PUBLISHED: 2019-11-18
/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG1218) V22.5.9.163 devices allows remote authenticated users to execute any command via shell metacharacters in the cgi-bin/luci autoUpTime parameter.