July’s Patch Tuesday Fixes Critical Flaws in Microsoft Edge and Internet Explorer, Including 2 Exploited Vulnerabilities
It’s time to get vulnerable installations patched. Microsoft’s July Patch Tuesday release includes updates for almost 80 vulnerabilities, along with two advisories. Critical patches covered in the release include fixes for Windows DHCP Server, Azure DevOps Server and Team Foundation Server, and .NET Framework, namely assigned as CVE-2019-0785, CVE-2019-1072, and CVE-2019-1113. Other flaws in Azure Automation, Docker, DirectWrite, DirectX, SymCrypt, Windows DNS Server, and Windows GDI have also been resolved. Elevation of privilege vulnerabilities in Microsoft splwow64 (CVE-2019-0880) and Win32k (CVE-2019-1132), which were reported as being exploited, have also been patched.
Here’s a look at some of the noteworthy patches for this month, covering Critical-rated vulnerabilities:
CVE-2019-1107 is a remote code execution (RCE) vulnerability in the Chakra scripting engine and how it handles objects in memory in Microsoft Edge. An attacker who successfully takes advantage of this vulnerability can gain the same user rights as the current user and execute arbitrary code on the affected system. Successfully exploiting this vulnerability also allows an attacker to install programs, modify data, and create new accounts with full user rights on the affected system.
CVE-2019-1063 is an RCE vulnerability in Internet Explorer, which improperly accesses objects in memory. An attacker can take control of an affected system if the current user is logged on with administrative user rights. To exploit the vulnerability, an attacker can trick a user into viewing a specially crafted website through an email, email attachment, or instant message.
CVE-2019-1004 is an RCE vulnerability affecting Internet Explorer and how the scripting engine handles objects in memory. An attacker can host a specially crafted website designed to exploit the vulnerability via Internet Explorer and trick a user to view the said website. An attacker can also embed an ActiveX control marked “safe for initialization” in an application or a Microsoft Office document that hosts the IE rendering engine.
CVE-2019-1104 is an RCE vulnerability that exists in the way Microsoft browsers access objects in memory. Aside from executing arbitrary code in the context of the current user, an attacker can also design a website that exploits the vulnerability through Microsoft browsers, take advantage of compromised websites by adding specially crafted content, or use social engineering to trick users into viewing attacker-controlled content in emails or instant messages.
The July security bulletin also includes updates for the denial of service (DoS) vulnerability in Linux kernel TCP SACK (ADV190020) and three flaws in Adobe (notably none for Adobe Flash or Acrobat Reader), particularly in Bridge CC, Experience Manager, and Dreamweaver. The release also includes fixes for a number of addressed information disclosure vulnerabilities in DirectWrite, Microsoft Exchange, Microsoft Visual Studio, Windows GDI, and Windows kernel.
Users with affected installations are advised to prioritize the updates in order to avoid possible system exploitation through unpatched vulnerabilities. The Trend Micro Deep Security and Vulnerability Protection solutions also protect systems and users from threats targeting the vulnerabilities included in this month’s Patch Tuesday release via the following Deep Packet Inspection (DPI) rules:
|1009834||Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability||CVE-2019-1107|
|1009835||Microsoft Excel Information Disclosure Vulnerability||CVE-2019-1112|
|1009836||Microsoft Internet Explorer Memory Corruption Vulnerability||CVE-2019-1063|
|1009837||Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability||CVE-2019-1004|
|1009838||Microsoft Internet Explorer And Edge Memory Corruption Vulnerability||CVE-2019-1104|
|1009839||Microsoft Internet Explorer And Edge Scripting Engine Memory Corruption Vulnerability||CVE-2019-1001|
|1009840||Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability||CVE-2019-1103|
|1009841||Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability||CVE-2019-1106|
|1009842||Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability||CVE-2019-1092|
|1009843||Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability||CVE-2019-1062|
- 35658: HTTP: Microsoft Internet Explorer Type Confusion Vulnerability
- 35659: HTTP: Microsoft Windows Scripting Engine Use-After-Free Vulnerability
- 35660: HTTP: Microsoft Edge JIT Type Confusion Vulnerability
- 35661: HTTP: Microsoft Internet Explorer Type Confusion Vulnerability
- 35666: HTTP: Microsoft Edge Chakra Scripting Engine Out-of-Bounds Write Vulnerability
- 35667: HTTP: Microsoft Edge JIT Type Confusion Vulnerability
- 35668: HTTP: Microsoft Internet Explorer Type Confusion Vulnerability
- 35669: HTTP: Microsoft Edge JIT Object.prototype Out-of-Bounds Write Vulnerability
- 35670: HTTP: Microsoft Edge JIT Type Confusion Vulnerability
Updated as of July 9, 2019 at 9:37 p.m. PDT to tweak headline and add details on the patches (numbers, concerned platforms, and direct links)