VERT Threat Alert: July 2019 Patch Tuesday Analysis

Today’s VERT Alert addresses Microsoft’s July 2019 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-839 on Wednesday, July 10th. In-The-Wild & Disclosed CVEsCVE-2019-0865This vulnerability describes a denial of service that occurs when SymCrypt processes specially crafted digital signatures. This vulnerability was discussed by Forbes on June 12th after being disclosed by Tavis Ormandy via Google Project Zero.Microsoft has rated this as a 2 (Exploitation Less Likely) on the Exploitability Index.CVE-2019-0887A vulnerability in Remote Desktop Services clipboard redirection could lead to remote code execution. Clipboard redirection is the functionality that allows for the sharing of the clipboard between the local and remote host. A write-up on this attack was published by Eyal Itkin of Checkpoint back in February. It is important to note that the attacker would require access to a system running remote desktop and the victim would need to connect to the attacker-controlled system.Microsoft has rated this as a 1 (Exploitation More Likely) on the Exploitability Index.CVE-2019-0880A privilege escalation vulnerability in splwow64.exe allows attackers to elevate privileges from low-integrity to medium-integrity. You can learn more about Mandatory Integrity Control here. Microsoft has indicated that they are seeing active exploitation of this vulnerability against older releases of Windows.Microsoft has rated this as a 1 (Exploitation More Likely) for the Latest Software Release and a 0 (Exploitation Detected) for Older Software Releases on the Exploitability Index.CVE-2019-1068Microsoft SQL Server can incorrectly process internal functions leading to code execution in the context of the SQL Server Database Engine service account. To exploit this vulnerability, an attacker would need to be authenticated against the SQL server in order to perform the malicious query.Microsoft has rated this as a 2 (Exploitation Less Likely) on the Exploitability Index.CVE-2019-1129A vulnerability in Windows AppX Deployment Service (AppXSVC) allows an elevation of privilege when improperly handling hard links. We previously saw CVE-2019-0841 patched in April and following the release of that update, a pair of bypasses for CVE-2019-0841 were released. This may not be the last time we see AppXSVC patched.Microsoft has rated this as a 1 (Exploitation More Likely) on the Exploitability Index.CVE-2019-1132CVE-2019-1132 is currently seeing active exploitation on older software releases, while the latest software release is not affected. The vulnerability is a privilege escalation in Win32k that could give an attacker full control of an affected system.Microsoft has rated this as a 4 (Not affected) for the Latest Software Release and a 0 (Exploitation Detected) for Older Software Releases on the Exploitability Index.CVE Breakdown by TagWhile historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Other InformationIn addition to the Microsoft vulnerabilities included in the July Security Guidance, several advisories were released today.Outlook on the web Cross-Site Scripting Vulnerability [ADV190021]Microsoft has released information regarding a cross-site scripting vulnerability affecting Outlook on the web (formerly Outlook Web App) on-premise deployments. The vulnerability requires an attached image in the SVG format, which can be blocked using the steps outlined in this advisory.Guidance to mitigate unconstrained delegation vulnerabilities [ADV1900006]This previously released advisory was updated this month to announce that security updates have been released for all versions of windows that set the new trust flag to Yes for CVE-2019-0683.