Microsoft Patch Tuesday — July 2019: Vulnerability disclosures and Snort coverage

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 77 vulnerabilities, 16 of which are rated “critical," 60 that are considered “important” and one “moderate.”

This month’s security update covers security issues in a variety of Microsoft’s products, including the Chakra scripting engine, Internet Explorer and the Windows Server DHCP service. For more on our coverage of these bugs, check out the SNORT® blog post here, covering all of the new rules we have for this release.

Critical vulnerabilities

Microsoft disclosed 16 critical vulnerabilities this month, nine of which we will highlight below.

CVE-2019-0785 is a memory corruption vulnerability in the Windows Server DHCP service. The bug arises when specially crafted packets are sent to a DHCP failover server. A malicious user could exploit this vulnerability by sending a specially crafted packet to a DHCP over failover mode. This could allow them to gain the ability to run arbitrary code on the DHCP failover server or cause the DHCP server to become unresponsive.

CVE-2019-1001 and CVE-2019-1004 are both memory corruption vulnerabilities that exist in the way the scripting engine handles objects in memory in Microsoft browsers. These bugs could corrupt memory on machines in such a way that attackers could gain the ability to execute arbitrary code in the context of the current user. An attacker could exploit these bugs by tricking a user into visiting a specially crafted, malicious web page through Internet Explorer. They could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that uses the Internet Explorer-rendering engine.

CVE-2019-1062, CVE-2019-1092, CVE-2019-1103, CVE-2019-1106 and CVE-2019-1107 are all memory corruption vulnerabilities in the Chakra Scripting Engine that could allow an attacker to gain the ability to execute arbitrary code on the victim’s machine. An attacker could exploit these bugs by tricking a user into visiting a specially crafted, malicious web page on Microsoft Edge, or by visiting a site with attacker-created content.

CVE-2019-1113 is a remote code execution vulnerability in the .NET Framework. The vulnerability exists in the way the software checks the source markup of a file. An attacker could exploit this vulnerability by supplying the user with a specially crafted file, and then tricking them into opening it using an affected version of the .NET Framework. An attacker could then gain the ability to execute arbitrary code in the context of the current user.

The other critical vulnerabilities are:

• CVE-2019-1006
• CVE-2019-1056
• CVE-2019-1059
• CVE-2019-1063
• CVE-2019-1072
• CVE-2019-1102
• CVE-2019-1104

Important vulnerabilities

This release also contains 60 important vulnerabilities, two of which we will highlight below.

CVE-2018-15664 is an elevation of privilege vulnerability in Docker that affects Microsoft Azure internet-of-things edge devices and Azure Kubernetes Service. The bug allows a malicious or compromised container to acquire full read/write access on the host operating system where the container is running. While a fix is still ongoing in Docker, Microsoft recommends customers do not use the Docker copy command on their AKS clusters and the Azure IoT devices.

CVE-2019-1132 is an elevation of privilege vulnerability in Windows when the Win32k component fails to properly handle objects in memory. An attacker could exploit this bug to run arbitrary code in kernel mode. Microsoft disclosed that this vulnerability has been exploited in the wild.

The other important vulnerabilities are:

• CVE-2019-0811
• CVE-2019-0865
• CVE-2019-0880
• CVE-2019-0887
• CVE-2019-0962
• CVE-2019-0966
• CVE-2019-0975
• CVE-2019-0999
• CVE-2019-1037
• CVE-2019-1067
• CVE-2019-1068
• CVE-2019-1071
• CVE-2019-1073
• CVE-2019-1074
• CVE-2019-1076
• CVE-2019-1077
• CVE-2019-1079
• CVE-2019-1082
• CVE-2019-1083
• CVE-2019-1084
• CVE-2019-1085
• CVE-2019-1086
• CVE-2019-1087
• CVE-2019-1088
• CVE-2019-1089
• CVE-2019-1090
• CVE-2019-1091
• CVE-2019-1093
• CVE-2019-1094
• CVE-2019-1095
• CVE-2019-1096
• CVE-2019-1097
• CVE-2019-1098
• CVE-2019-1099
• CVE-2019-1100
• CVE-2019-1101
• CVE-2019-1108
• CVE-2019-1109
• CVE-2019-1110
• CVE-2019-1111
• CVE-2019-1112
• CVE-2019-1116
• CVE-2019-1117
• CVE-2019-1118
• CVE-2019-1119
• CVE-2019-1120
• CVE-2019-1121
• CVE-2019-1122
• CVE-2019-1123
• CVE-2019-1124
• CVE-2019-1126
• CVE-2019-1127
• CVE-2019-1128
• CVE-2019-1129
• CVE-2019-1130
• CVE-2019-1134
• CVE-2019-1136
• CVE-2019-1137

Moderate vulnerability

There is one moderate vulnerability, CVE-2019-1075, which is an information disclosure vulnerability in Windows Event Manager.

Coverage

In response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort rules: 45142, 45143, 46548, 46549, 49380, 49381, 50198, 50199, 50662 - 50683