Microsoft Security Updates: July 2019

Microsoft Security Updates: July 2019

This month’s Microsoft Patch Tuesday addresses 77 vulnerabilities with 15 of them labeled as Critical. Of the 15 Critical vulns, 11 are for scripting engines and browsers, with the remaining four covering DHCP Server, GDI+, .NET Framework, and Azure DevOps Server / Team Foundation Server.

Workstation Patches

Scripting Engine, Browser, GDI+, and .NET Framework patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.

DHCP Server RCE

A Remote Code Execution vulnerability exists in Microsoft’s DHCP Server when configured for failover. An attacker with network access to the failover DHCP server could run arbitrary code. This patch should be prioritized for any systems running DHCP in failover mode.

Actively Attacked Privilege Escalation

Microsoft released patches for two privilege escalation vulnerabilities in Win32k and splwow64 that have been exploited in the wild. These patches, though labeled as Important, should be prioritized, as they could be chained with other vulnerabilities to provide an attacker with complete system access.

SQL Server RCE

A Remote Code Execution vulnerability in Microsoft SQL Server is also covered in today’s patch release. This vulnerability is ranked as Important, and does require authentication. However, this vulnerability could be chained with SQL injection to allow an attacker to completely compromise the server.

Azure DevOps Server / Team Foundation Server

Azure DevOps Server and Team Foundations Server (TFS) are affected by a Remote Code Execution vulnerability that is exploited through malicious file uploads. Anyone who can upload a file can run code in the context of the Azure DevOps / TFS account. This includes anonymous users if the server is configured to allow it. This patch should be prioritized for any Azure DevOps or TFS installations.

Outlook on the web XSS

Microsoft issued an advisory on a cross-site scripting vulnerability in Outlook on the web. This vulnerability involves an attacker sending a malicious SVG file, but requires the targeted user to open the image file directly by dragging it to a new tab or pasting the URL into a new tab. While this is an unlikely attack scenario, Microsoft recommends blocking SVG images.

Linux Kernel TCP SACK DoS

Several DoS vulnerabilities were reported in June for the Linux kernel. Microsoft has issued an advisory with information and links regarding these vulnerabilities.

Adobe Patch Tuesday

Adobe has issued patches for Bridge CCExperience Manager, and Dreamweaver. Experience Manager is patched for three vulns, while Bridge and Dreamweaver each have one. None are labeled as Critical, and the highest rated vuln for each software is Important.

Executive Summary

  • Microsoft released security updates for all client and server versions of the Windows operating system.
  • All versions of Windows are affected by (at least) 1 critical security issue.
  • Security updates were also released for other company products such as Internet Explorer, Microsoft Edge, Microsoft Office, Azure DevOps, .NET Framework, Azure, SQL Server, ASP.NET, Visual Studio, and Microsoft Exchange Server
  • The Microsoft Update Catalog lists 212 entries.

Operating System Distribution

  • Windows 7: 21 vulnerabilities: 1 rated critical and 20 rated important
    • CVE-2019-1102 | GDI+ Remote Code Execution Vulnerability
  • Windows 8.1: 19 vulnerabilities: 1 rated critical and 18 rated important
    • CVE-2019-1102 | GDI+ Remote Code Execution Vulnerability
  • Windows 10 version 1703: 24 vulnerabilities: 1 critical and 23 important
    • CVE-2019-1102 | GDI+ Remote Code Execution Vulnerability
  • Windows 10 version 1709: 36 vulnerabilities: 1 critical and 35 important
    • CVE-2019-1102 | GDI+ Remote Code Execution Vulnerability
  • Windows 10 version 1803: 37 vulnerabilities: 1 critical and 36 important
    • CVE-2019-1102 | GDI+ Remote Code Execution Vulnerability
  • Windows 10 version 1809: 36 vulnerabilities: 1 critical and 35 important
    • CVE-2019-1102 | GDI+ Remote Code Execution Vulnerability
  • Windows 10 version 1903: 36 vulnerabilities: 1 critical and 35 important.
    • CVE-2019-1102 | GDI+ Remote Code Execution Vulnerability

Windows Server products

  • Windows Server 2008 R2: 21 vulnerabilities: 1 critical and 20 important.
    • CVE-2019-1102 | GDI+ Remote Code Execution Vulnerability
  • Windows Server 2012 R2: 22 vulnerabilities: 2 critical and 20 important.
    • CVE-2019-0785 | Windows DHCP Server Remote Code Execution Vulnerability
    • CVE-2019-1102 | GDI+ Remote Code Execution Vulnerability
  • Windows Server 2016: 27 vulnerabilities: 2 critical and 25 important
    • CVE-2019-0785 | Windows DHCP Server Remote Code Execution Vulnerability
    • CVE-2019-1102 | GDI+ Remote Code Execution Vulnerability
  • Windows Server 2019: 40 vulnerabilities: 2 critical and 38 are important.
    • CVE-2019-0785 | Windows DHCP Server Remote Code Execution Vulnerability
    • CVE-2019-1102 | GDI+ Remote Code Execution Vulnerability

Known Issues

Windows 7 Service Pack 1 and Windows Server 2008 R2

  • Issue with McAfee Enterprise software that causes slow startup or the system to become unresponsive.

Windows 8.1 and Windows Server 2012 R2

  • Still the long standing issue with Cluster Shared Volumes that throws the error "STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)".
  • Issue with McAfee Enterprise software that causes slow startup or the system to become unresponsive.
  • Windows-Eyes screen reader may throw errors on launch or during use, and some features may not work properly.

Windows 10 version 1803

  • Still the long standing issue with Cluster Shared Volumes that throws the error "STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)".
  • Black screen during first logon after installing updates.
  • Issue with Window-Eyes screen reader app that may not work correctly.

Windows 10 version 1809 and Server 2019

  • Long standing issue with Cluster Shared Volumes.
  • Error "0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND" on devices with "some Asian language packs installed".
  • Black screen during first logon after installing updates.
  • Issue with Window-Eyes screen reader app that may not work correctly.

Windows 10 version 1903

  • Windows Sandbox may fail to start.
  • The Remote Access Connection Manager (RASMAN) service may stop working and you may receive the error “0xc0000005” on devices where the diagnostic data level is manually configured to the non-default setting of 0.

Direct update downloads

Windows 7 SP1 and Windows Server 2008 R2 SP

  • KB4507449-- 2019-07 Security Monthly Quality Rollup for Windows 7
  • KB4507456-- 2019-07 Security Only Quality Update for Windows 7

Windows 8.1 and Windows Server 2012 R2

  • KB4507448-- 2019-07 Security Monthly Quality Rollup for Windows 8.1
  • KB4507457-- 2019-07 Security Only Quality Update for Windows 8.1

Windows 10 (version 1803)

  • KB4507435-- 2019-07 Cumulative Update for Windows 10 Version 1803

Windows 10 (version 1809)

  • KB4507469-- 2019-07 Cumulative Update for Windows 10 Version 1809

Windows 10 (version 1903)

  • KB4501375-- 2019-07 Cumulative Update for Windows 10 Version 1903