Patch Tuesday Lowdown, July 2019 Edition

Krebs on Security

Security / Krebs on Security 29 Views 0

Microsoft in the present day released software updates to plug virtually 80 security holes in its Home windows working techniques and related software. Among them are fixes for 2 zero-day flaws which might be actively being exploited within the wild, and patches to quash four different bugs that have been publicly detailed prior to at this time, probably giving attackers a head start in understanding tips on how to use them for nefarious functions.

Zero-days and publicly disclosed flaws apart for the moment, in all probability the only most severe vulnerability addressed on this month’s patch batch (a minimum of for enterprises) once once more resides in the element of Home windows answerable for routinely assigning Web addresses to host computers — a perform referred to as the “Home windows DHCP server.”

The DHCP weak spot (CVE-2019-0785) exists in most supported versions of Windows server, from Home windows Server 2012 by means of Server 2019.

Microsoft stated an unauthenticated attacker might use the DHCP flaw to seize complete, distant management over weak techniques just by sending a specifically crafted knowledge packet to a Windows pc. For those retaining rely, that is the fifth time this yr that Redmond has addressed such a essential flaw in the Home windows DHCP shopper.

All advised, only 15 of the 77 flaws fastened as we speak earned Microsoft’s most dire “important” score, a label assigned to flaws that malware or miscreants might exploit to commandeer computers with little or no help from customers. It must be famous that 11 of the 15 crucial flaws are current in or are a key element of the browsers constructed into Home windows — specifically, Edge and Web Exploder Explorer.

One of many zero-day flaws — CVE-2019-1132 — affects Home windows 7 and Server 2008 techniques. The opposite — CVE-2019-0880 — is present in Windows eight.1, Server 2012 and later working methods. Each would permit an attacker to take complete management over an affected system, though every is what’s referred to as an “elevation of privilege” vulnerability, which means an attacker would already have to have some degree of access to the targeted system.

CVE-2019-0865 is a denial-of-service bug in a Microsoft open-source cryptographic library that could possibly be used to tie up system assets on an affected Windows 8 pc. It was publicly disclosed a month in the past by Google’s Venture Zero bug-hunting operation after Microsoft reportedly failed to deal with it within Venture Zero’s said 90-day disclosure deadline.

The opposite flaw publicly detailed previous to right now is CVE-2019-0887, which is a distant code execution flaw within the Remote Desktop Providers (RDP) element of Home windows. Nevertheless, this bug also would require an attacker to already have compromised a goal system.

Mercifully, there do not look like any security updates for Adobe Flash Player this month.

Commonplace disclaimer: Patching is essential, nevertheless it often doesn’t harm to wait a number of days before Microsoft irons out any wrinkles within the fixes, which typically introduce stability or usability points with Windows after updating (KrebsOnSecurity will endeavor to replace this submit in the event that any massive issues with these patches emerge).

As such, it’s a good suggestion to get within the behavior of backing up your system — or on the very least your knowledge — before making use of any updates. The thing is, newer versions of Windows (e.g. Windows 10+) by default will go ahead and determine for you when that ought to be completed (typically this is in the midst of the night time). But that setting can be changed.

In case you experience any problems putting in any of the patches this month, please be happy to go away a remark about it under; there’s a better-than-even probability that other readers have skilled the identical and should even chime in with some useful advice and ideas.

Additional reading:

Qualys Patch Tuesday Blog


Tenable [full disclosure: Tenable is an advertiser on this blog].