Patch Tuesday this month offers fixes for a total of 77 vulnerabilities, of which 15 are marked critical, rounded out by two zero-day flaws just to make things interesting.
However, with an operating system estate as large as Microsoft’s these days, numbers don’t tell the whole story.
A good example of this is Microsoft’s Edge and Internet Explorer 11 browsers, which, including two overlaps, are patched for seven and six flaws respectively, all rated critical, and all remote code execution (RCE) flaws in the most vulnerable part of a browser, the web scripting engine.
It’s worth drawing attention to this because it’s easy to overlook the security of software bundled in Windows 10 which some users either use infrequently, or do not use at all.
As explained in previous coverage, this is particularly the case with IE 11, which many Windows 10 users don’t even realise is there but hangs around to maintain backwards compatibility. Compare that to Windows 10 64-bit version 1903, which earns only one critical, CVE-2019-1102.
The two zero days are CVE-2019-0880 and CVE-2019-1132, both Elevation of Privilege (EoP) flaws currently being exploited in the wild by unnamed threat groups. The first affects the Windows splwow64 print spooler while the second is in Win32k.
Although both are rated ‘important’, a notch down from critical, good patchers aren’t fooled by such distinctions. Most likely, all that means in practice is that they have to be used in conjunction with other flaws, the QED being that each has been detected in such scenarios (we await details from the companies that reported them).
Microsoft has also patched five publicly disclosed vulnerabilities, including the CVE-2019-0865 denial-of-service bug in the SymCrypt Windows 8/10 cryptographic library, made public last month by Google’s Project Zero.
The other four are CVE-2018-15664 (a Docker EoP), CVE-2019-0962 (affecting Azure), CVE-2019-1068 (an MS-SQL Server RCE), and CVE-2019-1129 (Windows appXSVC EoP).
It’s become a job to keep up with the sequence of vulnerabilities (and fix bypasses) disclosed by the researcher called SandboxEscaper and this month we get another one under the moniker Polar Bear – CVE-2019-1130, also in appXSVC.
Finally, with Adobe almost taking a month off (bar three advisories affecting Dreamweaver, Experience Manager, and Bridge), the July 2019 bulletin does feature one general bug fix with a bearing on security, described by Microsoft as addressing:
An issue that may cause BitLocker to go into recovery mode if BitLocker is being provisioned at the same time as updates are being installed.
You can read more about this month’s Patch Tuesday updates on the SophosLabs blog.
2 comments on “Two zero days and 15 critical flaws fixed in July’s Patch Tuesday”
I recently had an issue with a necessary website that would not provide the functionality it was supposed to.
Since I use the Vivaldi browser (Chromium based) regularly the support assistant told me to close the browser and login with chrome.
When I told them I would never use chrome and it was not installed they told me to login with IE!. I questioned this and was told IE. Not Edge, or Firefox, or PaleMoon but ***IE***.
Long story short, got caught with something trying to erase all my System files.
I did manage to out of it as I had and kept Task manager open, Killed IE, and was able to get Sophos Home running. No Virus found but no access to my desktop.
Since I’d recently done the last Windows update, I bit my lip and did a System Restore, rescanned, scanned with malwarebytes, nothing. So I suspect it was one of the “A good example of this is Microsoft’s Edge and Internet Explorer 11 browsers, which, including two overlaps, are patched for seven and six flaws respectively” you mentioned. 🙁
By the by, I could not get your Home version of the stand alone Virus Cleaner only the commercial version.
This free cleaning tool is free in the sense of “it costs $0”:
The Hitman Pro tool is free in the sense of “it costs $24.95 if you want to keep using after 30 days, but all features work for $0 during those 30 days”:
And Sophos Home is free in the sense of “there’s a $0 version that you can use on up to 3 Windows and Mac computers, but also a paid Premium version that has some added features and covers 10 computers”: