09
Jul 19

Patch Tuesday Lowdown, July 2019 Edition

Microsoft today released software updates to plug almost 80 security holes in its Windows operating systems and related software. Among them are fixes for two zero-day flaws that are actively being exploited in the wild, and patches to quash four other bugs that were publicly detailed prior to today, potentially giving attackers a head start in working out how to use them for nefarious purposes.

Zero-days and publicly disclosed flaws aside for the moment, probably the single most severe vulnerability addressed in this month’s patch batch (at least for enterprises) once again resides in the component of Windows responsible for automatically assigning Internet addresses to host computers — a function called the “Windows DHCP server.”

The DHCP weakness (CVE-2019-0785) exists in most supported versions of Windows server, from Windows Server 2012 through Server 2019.

Microsoft said an unauthenticated attacker could use the DHCP flaw to seize total, remote control over vulnerable systems simply by sending a specially crafted data packet to a Windows computer. For those keeping count, this is the fifth time this year that Redmond has addressed such a critical flaw in the Windows DHCP client.

All told, only 15 of the 77 flaws fixed today earned Microsoft’s most dire “critical” rating, a label assigned to flaws that malware or miscreants could exploit to commandeer computers with little or no help from users. It should be noted that 11 of the 15 critical flaws are present in or are a key component of the browsers built into Windows — namely, Edge and Internet Exploder Explorer.

One of the zero-day flaws — CVE-2019-1132 — affects Windows 7 and Server 2008 systems. The other — CVE-2019-0880 — is present in Windows 8.1, Server 2012 and later operating systems. Both would allow an attacker to take complete control over an affected system, although each is what’s known as an “elevation of privilege” vulnerability, meaning an attacker would already need to have some level of access to the targeted system.

CVE-2019-0865 is a denial-of-service bug in a Microsoft open-source cryptographic library that could be used to tie up system resources on an affected Windows 8 computer. It was publicly disclosed a month ago by Google’s Project Zero bug-hunting operation after Microsoft reportedly failed to address it within Project Zero’s stated 90-day disclosure deadline.

The other flaw publicly detailed prior to today is CVE-2019-0887, which is a remote code execution flaw in the Remote Desktop Services (RDP) component of Windows. However, this bug also would require an attacker to already have compromised a target system.

Mercifully, there do not appear to be any security updates for Adobe Flash Player this month.

Standard disclaimer: Patching is important, but it usually doesn’t hurt to wait a few days before Microsoft irons out any wrinkles in the fixes, which sometimes introduce stability or usability issues with Windows after updating (KrebsOnSecurity will endeavor to update this post in the event that any big issues with these patches emerge).

As such, it’s a good idea to get in the habit of backing up your system — or at the very least your data — before applying any updates. The thing is, newer versions of Windows (e.g. Windows 10+) by default will go ahead and decide for you when that should be done (often this is in the middle of the night). But that setting can be changed.

If you experience any problems installing any of the patches this month, please feel free to leave a comment about it below; there’s a better-than-even chance that other readers have experienced the same and may even chime in with some helpful advice and tips.

Further reading:

Qualys Patch Tuesday Blog

Rapid7

Tenable [full disclosure: Tenable is an advertiser on this blog].

Tags: , , , , , ,

65 comments

  1. Brian what happened to my lengthy comment of yesterday? I thought that it was rather humerous in
    part or do you have friends at Microsoft who do not like to be humiliated. After all these years Brian I am somewhat disappointed

    • BaliRob,

      I don’t see any other comment from you, either here or in the spam folder. I don’t censor comments; occasionally I delete comments that are abusive or outright spammy, but in general I simply don’t have time to wade through them all.

      However, I DO unpublish comments from people who baselessly accuse me of somehow censoring comments to favor some company (and Microsoft of all companies). If you have a problem, or a comment you posted doesn’t appear, just send me a note through the contact form.

      https://krebsonsecurity.com/about/

    • In Brian’s defense, this site is under constant DDOS attack and uses WordPress.

      The first can prevent the site from receiving your comment, while the latter occasionally delays a comment from appearing.

      Do not ascribe to malice, et cetera.

  2. After installing 2019-07 Cumulative Update for Windows 10 Version 1809 for x64-based Systems (KB4507469) I log into the public desktop and not my user account. I can see my account under users but why is it going to the public desktop when logging in with my PIN?

  3. Dear Brian,

    If you did not receive my comment but have received this there must be a gremlin at work in the early Bali hours (1am). As for accusations I have been one of your most ardent supporters since you opened up shop. But I take this opportunity to offer my apologies which would not have been the case had my comment survived.

    I will take the opportunity here to state that – whoever is responsible for the Updates does not do his/her job properly and should take greater care. You, Brian, cannot deny the number of computers that are trashed every month because MICROSOFT is incapable of lateral thought. But having to spend hours trying to unravel the chaos on my Win8.1 made me angry because Win Troubleshooter had no idea at all. I had to do what we always did under XP and that was to install a Recovery Date before the Update. That is very aggravating also because MS never tells us when it is safe to allow the Update to continue afterwards.

  4. I let the July 9 cumulative update for Windows 10 1803 install (using the update and restart option) run the evening of July 10. The update “failed” and backed itself out (which was took a half hour of repetitive steps). I shutdown my laptop at the end of the day, and everything was fine the next day…until it was time to shutdown. I had to choose between update and shutdown or update and restart . The update failed again, and laboriously backed it self out. The next day I started looking for help with the problem. I wasn’t comfortable with trying to delete the downloaded update out of my system, so ended up calling the store where I bought the laptop to ask for “technical assistance”. I ended up taking the laptop in the next day so they could look at it.

    They tried to delete the downloaded update, thinking it was corrupted, and planned to download a “fresh” copy of it. I don’t know if that would have fixed the problem or not, because they weren’t able to successfully delete the update. I asked about skipping the cumulative update to 1803 and just installing the Windows 10 1903 update. They thought this would be easier than trying to fix a “bad patch”, so we started that update.

    I left my laptop at the store while 1903 downloaded. When I returned, they said the download was 100% completed, but they had not had a chance to check on the install. When they did that, they found it was “stalled”. They confessed to having had a “cable” problem while downloading to my laptop, and thought that perhaps it had actually disrupted or corrupted the download. So, they tried to restart it. The usual “tools” didn’t work, so they used some other method of starting another download.

    Even techs who (supposedly) are used to the process of downloading and installing updates couldn’t tell what the heck was going on. In the end it turned out they had two download/installs of 1903 going at the same time After hours of the second iteration downloading, verifying, and preparing for the update, it “failed” because it detected the first iteration still “installing”.

    I’m sure the second download-and-update was slowing down the install step of the original attempt (and vice versa). At the end of seven hours time, the first download of 1903 was installing but taking an average of about 7 minutes to increase the completion count by 1%. The tech guys left it running overnight, and called me in the morning to say it had completed successfully and the laptop appeared to be running “normally”.

    I have very little customized on this laptop, but Mozilla Firefox, LibreOffice, and Avast were all still running normally when I picked up my laptop. And so was Ad-block Plus. However, my display configuration was completely erased and had to be reset from what (I guess) are the new defaults.

    I also have a desktop running Windows 10 1803. The July 9 cumulative update installed on that PC with no problem. However, after watching the “techs” install the 1903 update, I’m now VERY hesitant to tackle that myself. I’m sure my (out in the country) home DSL is much slower than the tech’s download link, and I envision having the PC tied up for hours on end when I can’t monitor it (working elsewhere during the day, and not really able to stay up all night babysitting it) as well as never knowing whether I can believe what it says on the screen about the progress of the download/install, or whether it is “hung up” or running.

  5. It is only 2019.07.14.

    Your post is dated 07.19. Nitpicking me.

    The big issue is the poor quality of Microsoft products – eg Win 10 and Office 365. And its monopoly in these markets. Buggy… Their cloud concept is seriously broken – it has created a moveable feast of new bugs and other issues, that change every day, almost. It has taken control from the customer (from the time that we had non-cloud apps that were consistent and reliable). If I make a ‘thing’ in Europe, I am legally liable if it does bad things. The world is being abused by American companies like MS who license rubbish-ware, and hide behind their small print.

  6. I must say that these updates take long and longer to apply. I am a couple of hours in, and it is doing “stuff” but no sign of the end as of yet.

  7. After installing that patch, the next time I booted up the PC I got some error about my user credentials. I had to reboot. Then I noticed a new update available, but when I try to install it, I am told I must log in as an administrator. Trouble is, I’m the only user on the PC and I am listed as an administrator. Haven’t found a fix on the MS support page.

    • It’s the Servicing Stack Update that is telling me I need to be an administrator when I already am the one and only. Any tips would be appreciated. Keep up the great work Mr. Krebs. Your site is essential.

Leave a comment