Microsoft released their monthly security updates for July today. This month’s fixes address 77 vulnerabilities that affect Windows and a range of software that runs on Windows, mainly Internet Explorer, DirectX and the graphical subsystem.
Adobe products did not synchronize the release of patches for their products this month.
Among the vulnerabilities, 16 are categorized by Microsoft as critical, 60 as important and 1 as moderate.
Almost all of the critical vulnerabilities allow an attacker to execute remote code on the targeted system and 19 of the important vulnerabilities can be used for local elevation of privilege. Through a successful social engineering attack, either with a malicious website or Excel documents, an external attacker could fully compromise a targeted user’s machine.
There are 6 critical vulnerabilities for Internet Explorer and 5 for Chakra, the JavaScript engine of both Edge and Internet Explorer. The following components all have one remote code execution vulnerability: the Windows DHCP server, the Azure DevOps Server, the .NET Framework and the GDI+ API. Finally there is an authentication bypass for applications using the Windows Communication Foundation and the Windows Identity Foundation API.
There are reports that the two elevation of privilege vulnerabilities affecting Windows components are actively being exploited.
It’s worth reminding readers that the availability of patches does not mean that your computer has installed them, yet. To find and download this month’s Cumulative Update patch yourself, search for the term “2019-07” at the Microsoft Update Catalog website.
Let’s have a closer look at some of the interesting vulnerabilities.
Win32k Elevation of Privilege Vulnerability 🕷️
CVE-2019-1132
The Win32k driver on Windows 7 32bit can be abused to get a NULL pointer dereference. An attacker with remote code execution could use this vulnerability to achieve local elevation of privilege. This has been exploited in the wild.
Microsoft splwow64 Elevation of Privilege Vulnerability 🕷️
CVE-2019-0880
There is pointer dereference issue in the printer driver for 32-bit processes that could be used to escape the sandbox of Internet Explorer Enhanced Protected Mode (EPM).
After achieving remote code execution using a vulnerability like the ones that follow, affecting the Edge or Internet Explorer web browsers, an attacker could exploit this vulnerability to create a new process of medium integrity level. This has been exploited in the wild.
Multiple browser memory corruption vulnerabilities
Internet Explorer: CVE-2019-1001, -1004, -1056, -1059, -1063, and -1104
Chakra: CVE-2019-1062, -1092, -1103, -1106, and -1107
Internet Explorer and Edge suffer from several memory corruption vulnerabilities, such as type confusion, out-of-bounds write, and use-after-free.
If an attacker could trick a victim into browsing to a malicious website, they can execute remote code in the context of the web browser. To gain full control of the machine is more difficult: the attacker would need to escape the sandbox using a vulnerability such as the previously mentioned CVE-2019-0880, and then perform a local privilege elevation that delivers full administrative access.
Sophos coverage
Sophos has released following detection to address the vulnerabilities mentioned above. Please note that additional vulnerabilities and corresponding detection may be released in the future.
CVE | SAV | IPS | Intercept-X |
CVE-2019-0880 | Exp/20190880-A | N/V | N/V |
CVE-2019-1129 | Exp/20191129-A | N/V | N/V |
CVE-2019-1132 | Exp/20191132-A | N/V | N/V |
N/V = Not Validated.
The PoC code provided with MAPP advisories does not include active exploits and as such is not applicable to Intercept X testing. Intercept X’s ability to block the exploit depends on the actual exploit weaponization approach, which we won’t see until someone spots it in the wild. The SAV and IPS detections developed for the PoCs do not guarantee interception of in-the-wild attacks
How long does it take to have Sophos detection in place?
We aim to add detection to critical issues based on the type and nature of the vulnerabilities as soon as possible. Please note that some detection might not be available due to the availability of the data.
It is mostly not possible to test with Intercept-X due to the nature of the data we receive.
What if the vulnerability/0-day you look for is not covered above?
The most likely reason for this is we did not receive enough information about the vulnerability to create detection.