Two zero days and 15 critical flaws fixed in July’s Patch Tuesday

Patch Tuesday this month offers fixes for a total of 77 vulnerabilities, of which 15 are marked critical, rounded out by two zero-day flaws just to make things interesting.

However, with an operating system estate as large as Microsoft’s these days, numbers don’t tell the whole story.

A good example of this is Microsoft’s Edge and Internet Explorer 11 browsers, which, including two overlaps, are patched for seven and six flaws respectively, all rated critical, and all remote code execution (RCE) flaws in the most vulnerable part of a browser, the web scripting engine.

It’s worth drawing attention to this because it’s easy to overlook the security of software bundled in Windows 10 which some users either use infrequently, or do not use at all.

As explained in previous coverage, this is particularly the case with IE 11, which many Windows 10 users don’t even realise is there but hangs around to maintain backwards compatibility. Compare that to Windows 10 64-bit version 1903, which earns only one critical, CVE-2019-1102.

Zero days

The two zero days are CVE-2019-0880 and CVE-2019-1132, both Elevation of Privilege (EoP) flaws currently being exploited in the wild by unnamed threat groups. The first affects the Windows splwow64 print spooler while the second is in Win32k.

Although both are rated ‘important’, a notch down from critical, good patchers aren’t fooled by such distinctions. Most likely, all that means in practice is that they have to be used in conjunction with other flaws, the QED being that each has been detected in such scenarios (we await details from the companies that reported them).

Disclosed flaws

Microsoft has also patched five publicly disclosed vulnerabilities, including the CVE-2019-0865 denial-of-service bug in the SymCrypt Windows 8/10 cryptographic library, made public last month by Google’s Project Zero.

The other four are CVE-2018-15664 (a Docker EoP), CVE-2019-0962 (affecting Azure), CVE-2019-1068 (an MS-SQL Server RCE), and CVE-2019-1129 (Windows appXSVC EoP).

It’s become a job to keep up with the sequence of vulnerabilities (and fix bypasses) disclosed by the researcher called SandboxEscaper and this month we get another one under the moniker Polar Bear – CVE-2019-1130, also in appXSVC.

BitLocker fix

Finally, with Adobe almost taking a month off (bar three advisories affecting Dreamweaver, Experience Manager, and Bridge), the July 2019 bulletin does feature one general bug fix with a bearing on security, described by Microsoft as addressing:

An issue that may cause BitLocker to go into recovery mode if BitLocker is being provisioned at the same time as updates are being installed.

You can read more about this month’s Patch Tuesday updates on the SophosLabs blog.