This month’s Microsoft Patch Tuesday addresses 77 vulnerabilities with 15 of them labeled as Critical. Of the 15 Critical vulns, 11 are for scripting engines and browsers, with the remaining four covering DHCP Server, GDI+, .NET Framework, and Azure DevOps Server / Team Foundation Server. In addition, Microsoft has released Important patches for two actively exploited privilege escalation vulnerabilities, as well as a SQL Server RCE. Microsoft also issued two advisories for Outlook on the web and Linux Kernel vulnerabilities. Adobe issued patches today for Bridge CC, Experience Manager, and Dreamweaver.
Scripting Engine, Browser, GDI+, and .NET Framework patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
DHCP Server RCE
A Remote Code Execution vulnerability (CVE-2019-0785) exists in Microsoft’s DHCP Server when configured for failover. An attacker with network access to the failover DHCP server could run arbitrary code. This patch should be prioritized for any systems running DHCP in failover mode.
Actively Attacked Privilege Escalation
Microsoft released patches for two privilege escalation vulnerabilities (CVE-2019-1132 and CVE-2019-0880) in Win32k and splwow64 that have been exploited in the wild. These patches, though labeled as Important, should be prioritized, as they could be chained with other vulnerabilities to provide an attacker with complete system access.
SQL Server RCE
A Remote Code Execution vulnerability (CVE-2019-1068) in Microsoft SQL Server is also covered in today’s patch release. This vulnerability is ranked as Important, and does require authentication. However, this vulnerability could be chained with SQL injection to allow an attacker to completely compromise the server.
Azure DevOps Server / Team Foundation Server
Azure DevOps Server and Team Foundations Server (TFS) are affected by a Remote Code Execution vulnerability (CVE-2019-1072) that is exploited through malicious file uploads. Anyone who can upload a file can run code in the context of the Azure DevOps / TFS account. This includes anonymous users if the server is configured to allow it. This patch should be prioritized for any Azure DevOps or TFS installations.
Outlook on the web XSS
Microsoft issued an advisory on a cross-site scripting vulnerability in Outlook on the web (formerly OWA). This vulnerability involves an attacker sending a malicious SVG file, but requires the targeted user to open the image file directly by dragging it to a new tab or pasting the URL into a new tab. While this is an unlikely attack scenario, Microsoft recommends blocking SVG images.
Linux Kernel TCP SACK DoS
Several DoS vulnerabilities were reported in June for the Linux kernel (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479). Microsoft has issued an advisory with information and links regarding these vulnerabilities.
Adobe Patch Tuesday
Adobe has issued patches for Bridge CC, Experience Manager, and Dreamweaver. Experience Manager is patched for three vulns, while Bridge and Dreamweaver each have one. None are labeled as Critical, and the highest rated vuln for each software is Important.