Patch Tuesday July 2019 has seen Microsoft fix 77 vulnerabilities including 15 rated critical and two actively exploited zero days. Six of the vulnerabilities patched this month had been previously disclosed to the public.
The two actively exploited zero-days are both privilege escalation vulnerabilities. The first – CVE-2019-0880 – affects how the 64-bit printer spooler service on 64-bit Windows systems – splwow64.exe – handles certain calls.
The flaw can be remotely exploited by an attacker to elevate privileges from low-integrity to medium-integrity according to Microsoft. While the flaw would not permit remote code execution by itself, an exploit could be combined with an exploit for another flaw, which could lead to remote code execution.
The flaw is present in Windows 10, 8.1, Server 2012, Server 2016, Server 2019, and Server versions 1803 and 1903 and older Windows versions. Microsoft advises immediate patching. If the patch cannot be applied immediately, the printer spooler should be disabled.
The second zero day does permit remote code execution. The vulnerability – CVE-2019-1132 – is due to how the Win32k component of Windows handles objects in the memory. If the flaw is exploited, an attacker could run arbitrary code in kernel mode, which would allow the installation of programs and allow an attacker to view, change, or delete data and create new accounts with administrator rights. The flaw is present in Windows 7 and Server 2008 and older Windows versions.
The publicly disclosed vulnerabilities are CVE-2019-0865, CVE-2018-15664, CVE-2019-0962, CVE-2019-1068, CVE-2019-1129, and CVE-2019-1130. The first four were disclosed by Google Project Zero researcher Tavis Ormandy and the last by SandboxEscaper.
The critical flaws affect .NET Framework, Azure DevOps, Internet Explorer, Microsoft Browsers, Microsoft Graphics Component, Microsoft Scripting Engine (8), and Windows. A critical advisory has also been issued – ADV990001 – regarding the latest Service Stack updates.
Adobe has issued patches for flaws in Experience Manager (12), Bridge CC (3), and Dreamweaver (3). None of the vulnerabilities have been rated critical. All are either important or moderate severity. None have been exploited in the wild.