July 2019 Threat Intelligence (CRITICAL ALERT)
This month, Microsoft have patched 77 vulnerabilities; 16 of which are ranked critical and 52 marked as important. Also included within this month’s updates are fixes for 5 vulnerabilities that were made public (but not exploited).
11 of the critical bugs are for scripting engines and browsers. The additional 5 affect the DHCP server, GDI+, the .NET Framework and the Azure DevOps server/team foundation server.
Full information on this months patches can be found here:
Zero-Days actively exploited in the wild
There were releases for ‘important’-level patches for two privilege-escalation vulnerabilities, or zero-days, known as ‘Win32k’ and ‘splwow64’. These are currently being exploited in the wild.
Although these patches were ranked ‘important’, they should be priorities because they’re potentially linked with vulnerabilities that give attackers complete system access.
The win32k flaw (CVE-2019-1132) disturbs Windows 7, Server 2008 and Server 2008 R2.
While attackers would need to gain full log on access to the system to carry out the exploit, the vulnerability if exploited would grant the attacker full control of the system. This zero-day has also been connected to a chain of attacks carried out by a group of Russian state-funded hackers.
The bug splwow64 (CVE-2019-0880) is the print driver host for 32-bit applications. This would give an attacker access to go from low to medium system privileges. If the patch can’t be deployed immediately, the vulnerability can be reduced by disabling the print spooler. This big affects Windows 8.1, Server 2012 and later OS.
Microsoft have also patched five other vulnerabilities, where the exploit details were made public and could have aided attackers; however these were not exploited until today when Microsoft released patches.
Publicly disclosed vulnerabilities
- CVE-2019-0865 – SymCrypt Denial of Service Vulnerability
- CVE-2018-15664 – Docker Elevation of Privilege Vulnerability
- CVE-2019-0962 – Azure Automation Elevation of Privilege Vulnerability
- CVE-2019-1068 – Microsoft SQL Server Remote Code Execution Vulnerability
- CVE-2019-1129 – Windows Elevation of Privilege Vulnerability
Patching is important…
Security vulnerabilities are the ‘low hanging fruit’ for hackers. Patching is essentials to keep your information safe. It is also good practice to back up your system or at least your data before you apply any updates.
Customers are advised to follow these security tips:
- Install vendor patches immediately when available.
- Run all software with least privileges while still maintaining functionality.
- Do not handle files from questionable sources.
- Avoid visiting sites with unknown integrity.
- Block external access at the network perimeter to all key systems unless access is necessary.
- The 8 most common types of cyber attack, explained
- [THREAT INTEL] NSA issues rare warning to patch against BlueKeep vulnerability
- Is ransomware the biggest threat to your IT security?
- A buyers guide to patch management software
- Types of penetration test – what’s the difference?
- Pros and cons of outsourcing your cyber security: In-house or Managed SOC?
About Comtact Ltd.
Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).
Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.