The July 2019 Patch Tuesday release included fixes for 77 vulnerabilities, two of which were Windows zero-days that were actively exploited in the wild.
The two Windows zero-days are both local escalation-of-privilege flaws that cannot be used alone to perform an attack. One zero-day, CVE-2019-0880, is a flaw in how splwow64.exe handles certain calls. The issue affects Windows 8.1, Windows 10 and Windows Server 2012, 2016 and 2019.
"This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability that is capable of leveraging the elevated privileges when code execution is attempted," according to Microsoft.
The other Windows zero-day the vendor patched was CVE-2019-1132, which caused the Win32k component to improperly handle objects in memory. This issue affects Windows 7 and Windows Server 2008.
"To exploit this vulnerability, an attacker would first have to log on to the system," Microsoft noted. "An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system."
This zero-day was reported to Microsoft by ESET. Anton Cherepanov, senior malware researcher for ESET, detailed a highly targeted attack in Eastern Europe and recommended upgrading systems as the best remediation against attacks.
"The exploit only works against older versions of Windows, because since Windows 8 a user process is not allowed to map the NULL page. Microsoft back-ported this mitigation to Windows 7 for x64-based systems," Cherepanov wrote in a blog post. "People who still use Windows 7 for 32-bit systems Service Pack 1 should consider updating to newer operating systems, since extended support of Windows 7 Service Pack 1 ends on January 14th, 2020. Which means that Windows 7 users won't receive critical security updates. Thus, vulnerabilities like this one will stay unpatched forever."
Beyond the two Windows zero-days patched this month, there were six vulnerabilities patched that had been publicly disclosed, but no attacks were seen in the wild. The disclosures could potentially aid attackers in exploiting the issues faster, so enterprises should prioritize the following:
- CVE-2018-15664, a Docker flaw in the Azure Kubernetes Service;
- CVE-2019-0962, an Azure Automation escalation-of-privilege flaw;
- CVE-2019-0865, a denial-of-service flaw in SymCrypt;
- CVE-2019-0887, a remote code execution (RCE) flaw in Remote Desktop Services;
- CVE-2019-1068, an RCE flaw in Microsoft SQL Server; and
- CVE-2019-1129, a Windows escalation-of-privilege flaw.
The Patch Tuesday release also included 15 vulnerabilities rated critical by Microsoft. Some standout patches in that group included CVE-2019-0785, a DHCP Server RCE issue, and four RCE issues affecting Microsoft browsers, which Trend Micro labeled as noteworthy -- CVE-2019-1004, CVE-2019-1063, CVE-2019-1104 and CVE-2019-1107.