July Patch Tuesday 2019
Microsoft has released an update for everything including the kitchen smart sink! Ok, maybe not for sinks, but there are updates for the Windows OS, Office, .Net, SQL, VSTS and an Advisory for Microsoft Exchange Server! There are also updates for the following development binaries: Azure IoT Edge, Azure Kubernetes Service, Azure Automation, Azure DevOps Server, ASP .Net Core, .Net Core and Chakra Core. It is quite the lineup.
Microsoft resolved a total of 77 unique CVEs this month including two zero-days that have been reported in attacks in the wild and six public disclosures.
The first exploited vulnerability (CVE-2019-0880) is an Elevation of Privilege exploit in splwow64 affecting windows 8.1, Server 2012 and later operating systems. If exploited, an attacker can elevate their privilege level from a low to a medium-integrity. Once they have elevated their privilege level, an attacker could exploit another vulnerability to allow them to execute code.
The second exploited vulnerability (CVE-2019-1132) is also an Elevation of Privilege exploit. In this case the vulnerability is in Win32k and affects Windows 7, Server 2008 and Server 2008 R2. While an attacker would have to gain log-on access to the system to execute the exploit, the vulnerability, if exploited, would allow the attacker to take full control of the system.
Mozilla released updates for Firefox and Firefox, ESR resolving 21 vulnerabilities and 10 vulnerabilities respectively. Both are rated as critical and include vulnerabilities that could lead to information disclosure, sandbox escapes and remote code execution.
Oracle is releasing their Critical Patch Update next week Tuesday, so expect updates from all your favorite middleware and Java.
This is a good time to bring up development tools. As the industry continues the shift toward DevOps and integrating with development binaries like Java, there are new considerations that you need to account for in managing the vulnerabilities in your environment. Java 11 changed the paradigm. There is no longer a JRE and a JDK. With Java 8 applications, a developer would build the application using the JDK and when the application was deployed to a system it required Java JRE to run. Each quarter when Oracle would release an update, the application did not require a change, but you needed to update the JRE instance to remove vulnerabilities. With Java 11, the JRE components are built right into the application. So as Oracle releases Java 11 updates resolving security vulnerabilities, a developer will need to update their version of the JDK and build the application again to include the new JRE components if any were vulnerable.
Microsoft released updates for several development tools including .Net Core and ASP .Net Core this month that similarly need to update the SDK component, then build the application and redistribute to resolve the vulnerabilities. Other examples of development binaries include Apache Struts, ChakraCore, ASP.NET CORE, Open Enclave SDK and many others.