Tim Lovegrove
Security Analyst
Welcome to the July 2019 Patch Roundup, where we look at the latest updates from the main vendors released on Patch Tuesday and dissect a few of the key releases. We had a month off in June and there’s plenty to catch up on, so let’s get cracking.
Microsoft
First off, Microsoft’s regular Patch Tuesday dropped fixes for 77 vulnerabilities. There’s 16 rated as critical and a few of those warrant closer attention as they are “zero-days” reported as being under active attack.
CVE-2019-1132 and CVE-2019-0880, affecting Win32k and splwow64 respectively, can both be used in partnership with other Remote Code Execution bugs to get local privilege elevation. Whilst not trivial to exploit, attacks using these bugs have been verified in the wild, and swift patching is recommended.
Another interesting bug affects Windows DHCP servers running in failover mode. By targeting the failover DHCP server with a crafted packet, an attacker can use the memory corruption bug to run arbitrary code, potentially gaining access to the system. Domain Controllers often share DHCP duties, and talk to many machines on the network, making them high value targets. However, the attack requires local network access to the server, which reduces the risk somewhat.
Also concerning is a slew of memory corruption vulnerabilities in Edge and Internet Explorer, leading to remote code execution when a user browses to a malicious website. By leveraging other bugs such as the CVE-2019-0880 flaw, the attacker can escape the browser sandbox and gain full control of the machine. This really is a case of patching everything in one go, particularly on end-user desktops.
Earlier this month we saw the Windows 10 semi-annual update 19H2 released to public testers, implying it will see full release in the not-too-distant future. We’re expecting it to drop around September.
And as a final side note, SQL Server 2008 and 2008 R2 went end-of-life earlier this month, and we also hit the 6-month warning notice for Windows Server 2008, Server 2008 R2 and Windows 7 going end-of-life. For anyone still running these OSes, now’s the time to start getting serious with planning migrations
Adobe
For the first time in forever, there’s no security updates for Reader/Acrobat or Flash in this month’s drop, with Adobe focussing on patches for Bridge CC, Dreamweaver and Experience Manager. A non-security update for Flash has appeared, 32.0.0.223, but otherwise it’s a quiet month from Adobe.
Get in Touch
If you'd like any advice on the patches mentioned above, or any we haven't mentioned here, please get in touch with your Softcat Account Manager, or using the button below.