Patch Central
Some like it hot. If that describes you, August in Texas should be right up your alley. We’ve been “enjoying” 100° F temperatures for the past few days, which has me daydreaming about taking another cruise to Alaska as summer goes out in a blaze of glory. Hot or not, the attackers never seem to take a break, the exploits keep on coming, and so do the patches as Microsoft and other software vendors race to keep up.
To IT security folks, August has special meaning: the annual Black Hat conference in Las Vegas and its sort-of-sister event that follows, Defcon – both of which address the complex landscape of computer/network/Internet security but from very different points of view. Black Hat, which started as a gathering “for hackers by hackers” is now solidly part of the establishment, attended heavily by corporate and law enforcement personnel. Defcon has matured to an extent over the years as well, but remains the less formal, less mainstream, more dramatic, and definitely more fun affair.
I wasn’t able to make it to Las Vegas for the conferences this year, but highlights included the news that Microsoft is planning to up its bounty program to offer up to $300,000 rewards to security researchers who discover exploits for vulnerabilities in the Azure cloud platform. But it’s not just about the money; the company is offering cloud host testing environments (Azure Security labs), where researchers will be able to test live exploits.
We were also reminded that not all exploits are technological. Social engineering is still alive and working well, especially when you appear to have the law on your side. One security expert showed how the privacy laws that are intended to protect our personal information can be exploited to do the opposite, with the finding that citing the European Union’s General Data Protection Regulation (GDPR) enabled him to get supposedly private information from companies about his fiancee.
As if software vulnerabilities weren’t enough to worry about. At least there are patches to address them, while there are no quick fixes for human gullibility. So let’s be thankful for that and drill down into some of the specifics of this month’s software updates and the vulnerabilities that they address.
The following security advisories were released on Patch Tuesday this month:
ADV190014 | Microsoft Live Accounts Elevation of Privilege Vulnerability. An elevation of privilege vulnerability exists in Outlook Web Access (OWA) regarding a possible unsigned token. An attacker who successfully exploited this vulnerability could have access to another person’s email inbox.
As usual, the largest number of vulnerabilities patched is in Windows 10, but all versions of the Windows OS saw almost twice as many fixes as last month. Windows 10 versions 1809 and 1903 are getting patches for a whopping sixty-four vulnerabilities. Windows 10 version 1803 gets sixty-one, and the oldest version, 1709, comes in at fifty-three.
A hefty number of these are rated critical, too: fifteen in 1803, fourteen in 1809, thirteen in 1903, and thirteen in 1709. The critical vulnerabilities are remote code execution issues, with most of those in the Desktop Services and Microsoft Graphics components of the operating systems.
Just like last month, Windows Server 2019, the newest version of the Server OS, had the largest number of patches with sixty-five vulnerabilities patched. Server 2016 got fixes for fifty security flaws, Server 2012 R2 got forty, and Server 2009 R2 got thirty-nine. Fourteen of the issues were rated critical for Server 2019, while only eleven were deemed critical in the other server versions.
Windows 10 and Windows Server 2019
See the following KB articles for information about the issues addressed by the August 13 updates for the various versions of Windows 10:
- Windows 10 version 1709 – KB4512516 – Cumulative Update. Includes security fixes for Windows Wireless Networking, Windows Storage and Filesystems, Windows App Platform and Frameworks, Microsoft Scripting Engine, Microsoft Edge, Windows Server, Windows MSXML, the Microsoft JET Database Engine, Windows Datacenter Networking, Windows Virtualization, Windows Cryptography, Windows Input and Composition, and Internet Explorer.
- Windows 10 version 1803 – KB4512501 – Cumulative Update. Includes security fixes for Windows Wireless Networking, Windows Storage and Filesystems, Windows App Platform and Frameworks, Windows Datacenter Networking, Microsoft JET Database Engine, Windows Input and Composition, Windows MSXML, Internet Explorer, Windows Server, Microsoft Scripting Engine, Windows Cryptography, Windows Server, Windows Virtualization, Microsoft Edge, and Windows Shell.
- Windows 10 version 1809/Windows Server 2019 – KB4511553 – Cumulative Update. Includes security updates to Windows App Platform and Frameworks, Windows Wireless Networking, Windows Storage and Filesystems, Microsoft Scripting Engine, Internet Explorer, Windows Input and Composition, Windows Cryptography, Windows Virtualization, Windows Datacenter Networking, the Microsoft JET Database Engine, Windows Server, Windows Kernel, Windows MSXML, and Microsoft Edge.
- Windows 10 version 1903/Windows Server 2019 – KB4512508 – Cumulative Update. Includes security updates to Windows App Platform and Frameworks, Windows Storage and Filesystems, Microsoft Scripting Engine, Windows Input and Composition, Windows Wireless Networking, Windows Cryptography, Windows Datacenter Networking, Windows Virtualization, Windows Storage and Filesystems, the Microsoft JET Database Engine, Windows Linux, Windows Kernel, Windows Server, Windows MSXML, Internet Explorer, and Microsoft Edge.
You can find details about each of the patches in the corresponding KB articles linked to each OS version above. Note that some of the cumulative updates also address non-security issues. This article focuses on the security-related fixes.
Older client operating systems
If you’re still using an older supported version of Windows, you’ll still need to be diligent about applying this month’s updates as critical vulnerabilities apply across all versions.
The following security updates apply to previous Windows operating systems:
- Windows 8.1/Server 2012 R2 – KB4512488 (Monthly Rollup) and KB4512489 (Security-only update). These include security updates to Windows App Platform and Frameworks, Windows Input and Composition, Windows Wireless Networking, Windows Virtualization, Windows Datacenter Networking, Windows Storage and Filesystems, the Microsoft JET Database Engine, Microsoft Scripting Engine, Windows MSXML, Internet Explorer, and Windows Server.
- Windows 7 – KB4512506 (Monthly Rollup) and KB4512486 (Security-only update). These include security updates to Windows App Platform and Frameworks, Windows Wireless Networking, Windows Storage and Filesystems, Windows Virtualization, Windows Datacenter Networking, Microsoft Scripting Engine, the Microsoft JET Database Engine, Windows Input and Composition, Windows MSXML, Internet Explorer, and Windows Server.
You can find details about each of the patches in the corresponding KB articles linked to each OS version above.
Prior Windows Server operating systems
Windows Server 2008 and 2012 received regular monthly and security only updates as follows:
- Window Server 2008 SP2 – KB4512476 (Monthly Rollup) and KB4512491 (Security only). Includes security updates to Windows App Platform and Frameworks, Windows Input and Composition, Windows Virtualization, Windows Datacenter Networking, Windows Storage and Filesystems, Windows Wireless Networking, Microsoft JET Database Engine, the Microsoft Scripting Engine, and Windows MSXML.
- Windows Server 2012 – KB4512518 (Monthly Rollup) and KB4512491 (Security only). Includes security updates to Windows App Platform and Frameworks, Windows Wireless Networking, Windows Storage and Filesystems, Windows Server, Windows Input and Composition, the Microsoft JET Database Engine, Windows MSXML, Windows Datacenter Networking, Microsoft Scripting Engine, Internet Explorer, and Windows Virtualization.
Note that updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
Microsoft web browsers
Microsoft Internet Explorer 11 gets patches for four vulnerabilities this time around and two of them are rated critical, while Edge ups that number significantly with a total of nine (seven of which are critical) vulnerabilities. All of these are Chakra scripting engine memory corruption vulnerabilities.
The following security updates apply to Microsoft’s web browsers:
KB4511872 – Cumulative security update for Internet Explorer. This security update resolves several reported vulnerabilities in Internet Explorer.
Vulnerabilities in the Edge browser are addressed by Windows 10 operating system updates.
Other Microsoft products and Services
Updates were also released this month for the following software:
- Visual Studio
- Active Directory
- Microsoft Office, Office Services, and Web Apps
- Microsoft Dynamics
- Online services
- ChakraCore
There are a number of known issues with the various updates, so please check out the KB articles listed under “Known Issues” in the August 2019 Release Notes in the Microsoft Security Update Guide portal.
The following are some of the critical vulnerabilities addressed by this month’s updates:
CVE-2019-0720 | Hyper-V Remote Code Execution Vulnerability. A remote code execution vulnerability exists when Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.
CVE-2019-0736 | Windows DHCP Client Remote Code Execution Vulnerability. A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine. To exploit the vulnerability, an attacker could send specially crafted DHCP responses to a client.
CVE-2019-1144 | Microsoft Graphics Remote Code Execution Vulnerability. A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerability.
CVE-2019-1181 | Remote Desktop Services Remote Code Execution Vulnerability. A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
CVE-2019-1183 | Windows VBScript Engine Remote Code Execution Vulnerability. A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
CVE-2019-1188 | LNK Remote Code Execution Vulnerability. A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive(or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker’s choice, on the target system.
CVE-2019-1133 | Scripting Engine Memory Corruption Vulnerability. A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
CVE-2019-1131 | Chakra Scripting Engine Memory Corruption Vulnerability. A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.