This is a big Patch Tuesday for some Windows users. Older systems such as Windows 7 and Server 2008 need both urgent and important updates to resolve publicly disclosed and exploited vulnerabilities. If you are running later versions of Windows 10, the situation is much improved, with recommendations for scheduled updates and comprehensive testing before deployment.
With 77 unique CVE’s addressed, two zero-days and six publicly disclosed vulnerabilities, some time and attention is definitely required for this Patch Tuesday update cycle. Older platforms will require immediate attention, while Remote Desktop Services (RDS) will need some testing and the latest features (sandbox) on Windows 10 1903 may require some additional unit testing.
That said, there is room for pure joy this month: no updates to Adobe Flash or Shockwave. Amazing, simply amazing. We have provided a graphical summary of this month’s Patch Tuesday release cycle here.
If ever there was a time to pay attention to the “Known Issues” section in Microsoft’s Patch Tuesday release notes, it may be this month’s release. We know that there was a major issue reported against Microsoft’s cryptographic library (SymCrypt) in early March, with a planned patch scheduled for June – which was subsequently delayed to July due to testing issues. It’s generally not a good sign when you see the phrase, “We are investigating reports that a small number of devices may start-up to a black screen during the first logon after installing updates.” in the middle of release notes.
In addition, we are seeing issues with updates to Windows 10 1903 and the new sandbox functionality. Finally, if you are heavily reliant on Microsoft Remote Desktop Services (RDS), then you will need to take a look at these latest updates and how they apply to Windows 10 desktop platforms. Here is a brief summary of some of the issues raised this month with the July Patch Tuesday release cycle:
- After installing KB4493509, devices with some Asian language packs installed may receive the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.”
- Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform an operation on a CSV owner node from a process that doesn’t have administrator privileges.
- Windows Sandbox may fail to start with “ERROR_FILE_NOT_FOUND (0x80070002)” on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.
- The Remote Access Connection Manager (RASMAN) service may stop working and you may receive the error “0xc0000005” on devices where the diagnostic data level is manually configured to the non-default setting of 0.
We have not found any major revisions that require attention for this update cycle.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (both desktop and server)
- Microsoft Office (Including Web Apps and Exchange)
- Microsoft .NET Core, .NET Core and Chakra Core
- Adobe Flash Player
With this month’s update to Microsoft’s two browsers (IE and Edge) Microsoft has attempted to resolve eight critical issues, and nine reported issues all leading to potential remote code execution scenarios. These combined vulnerabilities can be grouped into the following categories:
- Chakra Scripting
- IE Memory corruption issues
- Microsoft Script Object memory handling
Unfortunately, Microsoft has reported that these vulnerabilities are likely to be exploited on all platforms, they could lead to code execution with full user or admin privileges and may only require a visit to a specially crafted web page to exploit. This makes these updates both urgent and important. Add these browser updates to your “Patch Now” release cycle.
This is another big month for the Windows platform, with two reported critical issues and 48 issues rated as important by Microsoft. There are two zero-day vulnerabilities reported this month, both relating to Windows 7 and Server 2008 platforms. If you are running the latest version of Windows 10 (1903) then you only have to worry about two issues:
- CVE-2019-1096: An information disclosure vulnerability exists when the win32k component improperly provides kernel information
- CVE-2019-1085: An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory
If you are using older versions of Windows, then the two vulnerabilities that we need to focus on this month include two elevation of privilege vulnerabilities that have been reported as exploited in the wild including:
- CVE-2019-0880: This is a medium level exploit of the Microsoft SPLWOW64.EXE (the Printer driver host for 32-bit applications on x64 systems) which could lead to a security on older system (Win7 and Server 2008)
- CVE-2019-1132: This issues relates to how the Win32k component fails to handle objects in memory on older system (Win7, Server 2008)
Both of these security issues are a real concern. However, maybe it is time to move off of the Windows 7 platform and on to a modern desktop such as Windows 10. It’s not quite the moral imperative of moving from Windows XP, but these issues are great “monthly reminders” to at least start the planning process for a desktop migration.
If you have moved, and if you are on the latest Windows 10 build (1903) then your build team needs to spend some time on the new sandbox functionality, as there were reported testing issues this month. And, please test your Remote Desktop Services (RDS) implementation. I am not sure that there is a direct mapping to an application specific issue, but it may be time to run RDS through your basic unit tests before a general deployment of the Windows 10 updates. If you are using Windows 7 and 8, add these updates to your “Patch Now” release schedule. If you are using Windows 10, add these updates to your standard deployment schedule of patches.
Microsoft has released seven updates for Microsoft, none rated as critical. There are three vulnerabilities addressed for Microsoft Exchange, all rated as important by Microsoft as they could lead to a spoofing attack scenario, although difficult to exploit:
- CVE-2019-1084: An information disclosure vulnerability exists when Exchange allows creation of entities with Display Names having non-printable characters.
- CVE-2019-1136: An elevation of privilege vulnerability exists in Microsoft Exchange Server that could lead to a spoofing attack
- CVE-2019-1137: A cross-site-scripting (XSS) vulnerability exists when Microsoft Exchange Server does not properly sanitize a specially crafted web request to an affected Exchange server
Add these updates to your standard office patch schedule.
Development Tools (.NET and Chakra Core)
Microsoft has really broadened the scope of what can now be included in Patch Tuesday related updates. We are seeing updates to Docker, Azure DevOps, .NET core libraries and most importantly to the Chakra scripting engine.
Some of the more important updates (also rated as critical by Microsoft) include:
- CVE-2019-1113: A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file.
- CVE-2019-1062, CVE-2019-1092, CVE-2019-1103, CVE-2019-1106, CVE-2019-1107: The Chakra scripting engine has a memory handling issue that could lead to remote code execution scenarios.
We advise adding the .NET changes to a scheduled development update. The Chakra scripting engine updates need to be added to your “Patch Now” release schedule.
There are no updates for Adobe products this month from Microsoft. Yes, it’s true.
Maybe my advice was heeded, and everyone just stopped using Flash. That said, there were two updates to Adobe products for July including: