Patch Central
We’re now well into the long, hot summer of 2019 and many of us would like nothing more than a day at the beach with a refreshing drink and the ocean breeze blowing our hair. For most of us, though, today is not that day. As usual on the second Tuesday of the month, we have updates to install before we can earn a little rest and relaxation.
The good news is that it’s not an especially heavy patching month. The client versions of Windows have only a single critical vulnerability to be patched this time, but the bad news is that it affects every version of the Windows client and server operating systems and there are multiple ways an attacker can exploit it, so addressing it before it’s exploited should be high on your “to do” list. Most Windows Server versions are getting fixes for two critical issues. Each OS version also receives patches for from eighteen to thirty-eight vulnerabilities rated “important.”
In addition to the OS fixes, Microsoft also released the usual updates for its web browsers and various other software products, to the tune of more than two hundred separate entries for this date in the Security Update Guide. As always, the Malicious Software Removal Tool (MSRT) is updated to include the latest malware definitions.
IT admins and security pros may also be interested in the publication of Microsoft’s new security configuration framework for Windows 10, known as the SECCON framework. It addresses five different levels of security measures based on the security needs for a particular system. Recommendations are grouped into four categories: hardware, policies, controls, and behaviors. Find out more about it here.
Meanwhile, we’ll drill down into some of the specifics of this month’s updates and the vulnerabilities that they address.
The following security advisories were released on Patch Tuesday this month:
ADV190021 | Outlook on the web Cross-Site Scripting Vulnerability – This advisory addresses a cross-site scripting vulnerability that affects Outlook on the web (formerly known as Outlook Web App) on-premise deployments. To exploit this vulnerability, an attacker must send a victim an email containing custom HTML content. The victim must then drag and drop an image that was included in the email into a new browser tab, or a victim could paste the URL of the image into a new browser tab. The vulnerability requires that the image be sent in SVG format. Microsoft is addressing this vulnerability by recommending that administrators for Outlook on the web block SVG images and includes instructions for mitigation.
As usual, the largest number of vulnerabilities patched is in Windows 10. Versions 1903, 1809 and 1709 each have thirty-six vulnerabilities, 1803 has thirty-seven, and Windows 7 and 8.1 have twenty-one and nineteen, respectively.
Windows Server 2019, the newest version of the Server OS, is the king of patches this month with forty vulnerabilities patched. Server 2009 R2, 2012 R2, and 2016 get patches for twenty-one, twenty-two, and twenty-seven security holes, respectively.
Windows 10
See the following KB articles for information about the issues addressed by the July 9 updates for the various versions of Windows 10:
- Windows 10 version 1803 – KB4507435. Addresses an issue with BitLocker encryption recovery mode. Includes security updates to Windows Wireless Networking, Windows Server, Microsoft Scripting Engine, Windows Storage and Filesystems, Microsoft Graphics Component, Windows Kernel, Internet Explorer, Windows Input and Composition, Windows Virtualization, Windows App Platform and Frameworks, Microsoft Edge, Windows Cryptography, and Windows Fundamentals.
- Windows 10 version 1809 – KB4507469. Addresses an issue with BitLocker encryption recovery mode and fixes an issue that caused the camera to become unresponsive. Includes security updates to Windows Server, Microsoft Scripting Engine, Microsoft Graphics Component, Internet Explorer, Windows Input and Composition, Windows Virtualization, Windows App Platform and Frameworks, Windows Kernel, Microsoft Edge, Windows Cryptography, and Windows Fundamentals.
- Windows 10 version 1903 – KB4507453. Updates an issue with a tilted world some Mixed Reality users may see after connecting their headsets. Updates the visual quality issues some users may have when using Windows Mixed Reality (WMR) headsets with Steam®VR content. Updates an issue with BitLocker encryption recovery mode. Includes updates to improve security when using Internet Explorer, Microsoft Edge, wireless technologies, and Microsoft Office products.
You can find details about each of the patches in the corresponding KB articles linked to each OS version above.
Older client operating systems
If you’re still using an older supported version of Windows, you’ll still need to be diligent about applying this month’s updates as the same critical vulnerability applies across all versions.
The following security updates apply to previous Windows operating systems:
These updates include fixes for vulnerabilities in Microsoft Graphics Component, Windows Storage and Filesystems, Windows Shell, Windows Input and Composition, and Windows Kernel.
You can find details about each of the patches in the corresponding KB articles linked to each OS version above.
Windows Server operating systems
The four currently supported versions of Windows Server each have from twenty-one to forty vulnerabilities patched this month, with two critical issues in all but Server 2008 R2, which has only one
- Windows Server 2019 – KB4507469. Addresses an issue with BitLocker encryption recovery mode and fixes an issue that caused the camera to become unresponsive. Includes security updates to Windows Server, Microsoft Scripting Engine, Microsoft Graphics Component, Internet Explorer, Windows Input and Composition, Windows Virtualization, Windows App Platform and Frameworks, Windows Kernel, Microsoft Edge, Windows Cryptography, and Windows Fundamentals.
- Windows Server 2012 R2 – KB4507448 (Monthly rollup) and KB4507457(security only). Includes security updates to Windows Wireless Networking, Windows Server, Windows Storage and Filesystems, Microsoft Graphics Component, Windows Input and Composition, Windows Kernel, and Windows App Platform and Frameworks.
- Windows Server 2008 R2 – KB4507449 (Monthly rollup) and KB4507456 (security only). Includes security updates to Windows Server, Microsoft Graphics Component, Windows Storage and Filesystems, Windows Shell, Windows Input and Composition, and Windows Kernel.
Note that updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
Microsoft web browsers
Microsoft Internet Explorer 11 gets patches for six vulnerabilities this time around and all of them are rated critical, while Edge ups that number slightly with seven (all critical) vulnerabilities. These include multiple scripting engine memory corruption issues and Chakra scripting engine memory corruption issues, which can be exploited by an attacker to accomplish arbitrary code execution in the context of the current user.
The following security updates apply to Microsoft’s web browsers:
- KB4507434 – Cumulative security update for Internet Explorer. Addresses critical scripting engine vulnerabilities. Note that except for Internet Explorer 11 on Windows Server 2012, the fixes that are included in this Security Update for Internet Explorer (KB4507434) are also included in the July 2019 Security Monthly Quality Rollup. Installing either the Security Update for Internet Explorer or the Security Monthly Quality Rollup installs the fixes that are in this update.
Other Microsoft products and Services
Updates were also released this month for the following software:
- Microsoft Office and Microsoft Office Services and Web Apps
- Azure DevOps
- Open Source Software
- .NET Framework
- Azure
- SQL Server
- ASP.NET
- Visual Studio
- Microsoft Exchange Server
There are a number of known issues with the various updates, so please check out the KB articles listed under “Known Issues” in the July 2019 release notes in the Microsoft Security Update Guide portal.
The following are some critical vulnerabilities addressed by this month’s updates:
- CVE-2019-1102 | GDI+ Remote Code Execution Vulnerability – This critical vulnerability affects all client and server versions of Windows. It is a remote code execution vulnerability that exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
- CVE-2019-0785 | Windows DHCP Server Remote Code Execution Vulnerability – This is a vulnerability that affects Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. It is a memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server. An attacker who successfully exploited the vulnerability could either run arbitrary code on the DHCP failover server or cause the DHCP service to become nonresponsive. To exploit the vulnerability, an attacker could send a specially crafted packet to a DHCP server. However, the DHCP server must be set to failover mode for the attack to succeed. The security update addresses the vulnerability by correcting how DHCP failover servers handle network packets.
- CVE-2019-1001, CVE-2019-1004, CVE-2019-1056, and CVE-2019-1059 – These are Scripting Engine Memory Corruption vulnerabilities in Internet Explorer 11 and Microsoft Edge.
- CVE-2019-1062, CVE-2019-1092, CVE-2019-1103, CVE-2019-1106, and CVE-2019-1107 – These are Chakra Scripting Engine Memory Corruption vulnerabilities in Internet Explorer 11 and Microsoft Edge.
- CVE-2019-1063 and CVE-2019-1104 – These are Browser Memory Corruption vulnerabilities in Internet Explorer 11 and Microsoft Edge.