09
Jul 19

Patch Tuesday Lowdown, July 2019 Edition

Microsoft today released software updates to plug almost 80 security holes in its Windows operating systems and related software. Among them are fixes for two zero-day flaws that are actively being exploited in the wild, and patches to quash four other bugs that were publicly detailed prior to today, potentially giving attackers a head start in working out how to use them for nefarious purposes.

Zero-days and publicly disclosed flaws aside for the moment, probably the single most severe vulnerability addressed in this month’s patch batch (at least for enterprises) once again resides in the component of Windows responsible for automatically assigning Internet addresses to host computers — a function called the “Windows DHCP server.”

The DHCP weakness (CVE-2019-0785) exists in most supported versions of Windows server, from Windows Server 2012 through Server 2019.

Microsoft said an unauthenticated attacker could use the DHCP flaw to seize total, remote control over vulnerable systems simply by sending a specially crafted data packet to a Windows computer. For those keeping count, this is the fifth time this year that Redmond has addressed such a critical flaw in the Windows DHCP client.

All told, only 15 of the 77 flaws fixed today earned Microsoft’s most dire “critical” rating, a label assigned to flaws that malware or miscreants could exploit to commandeer computers with little or no help from users. It should be noted that 11 of the 15 critical flaws are present in or are a key component of the browsers built into Windows — namely, Edge and Internet Exploder Explorer.

One of the zero-day flaws — CVE-2019-1132 — affects Windows 7 and Server 2008 systems. The other — CVE-2019-0880 — is present in Windows 8.1, Server 2012 and later operating systems. Both would allow an attacker to take complete control over an affected system, although each is what’s known as an “elevation of privilege” vulnerability, meaning an attacker would already need to have some level of access to the targeted system.

CVE-2019-0865 is a denial-of-service bug in a Microsoft open-source cryptographic library that could be used to tie up system resources on an affected Windows 8 computer. It was publicly disclosed a month ago by Google’s Project Zero bug-hunting operation after Microsoft reportedly failed to address it within Project Zero’s stated 90-day disclosure deadline.

The other flaw publicly detailed prior to today is CVE-2019-0887, which is a remote code execution flaw in the Remote Desktop Services (RDP) component of Windows. However, this bug also would require an attacker to already have compromised a target system.

Mercifully, there do not appear to be any security updates for Adobe Flash Player this month.

Standard disclaimer: Patching is important, but it usually doesn’t hurt to wait a few days before Microsoft irons out any wrinkles in the fixes, which sometimes introduce stability or usability issues with Windows after updating (KrebsOnSecurity will endeavor to update this post in the event that any big issues with these patches emerge).

As such, it’s a good idea to get in the habit of backing up your system — or at the very least your data — before applying any updates. The thing is, newer versions of Windows (e.g. Windows 10+) by default will go ahead and decide for you when that should be done (often this is in the middle of the night). But that setting can be changed.

If you experience any problems installing any of the patches this month, please feel free to leave a comment about it below; there’s a better-than-even chance that other readers have experienced the same and may even chime in with some helpful advice and tips.

Further reading:

Qualys Patch Tuesday Blog

Rapid7

Tenable [full disclosure: Tenable is an advertiser on this blog].

Tags: , , , , , ,

67 comments

  1. Windows 8.1 had a Servicing Stack Update as well

  2. William Smith

    The DHCP issue is a DHCP SERVER issue, not a client problem.

    • So, in that case the vulnerality exploit leads to DHCP server seizure or client?

      If the client is affected, then its also a client problem.

      • It is a server issue.

        A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server. An attacker who successfully exploited the vulnerability could either run arbitrary code on the DHCP failover server or cause the DHCP service to become nonresponsive.

        To exploit the vulnerability, an attacker could send a specially crafted packet to a DHCP server. However, the DHCP server must be set to failover mode for the attack to succeed.

        The security update addresses the vulnerability by correcting how DHCP failover servers handle network packets.

  3. The Sunshine State

    No email notification yet again?

    • Thanks for your readership and contributions. I do not see the email you used to post this comment in my subscription list. If you signed up under another address, please let me know what that is. krebsonsecurity at gmail.com. Thanks!

  4. I’m curious about Adobe Flash Player. Seems to me the number of security flaws should be going down as the number of security fixes goes up. But for some reason I’m updating at a near constant rate. How does it happen? The number of flaws remains constant as the number of fixes goes up and up?

    • It’s not necessarily about the number of flaws, although Flash Player has typically had more than its share. It’s more about the severity (they are usually critical) and the fact that Flash has traditionally hooked very tightly into the browser, which has made it a prime target of attackers because if you merely browse to a hacked or malicious site with an outdated version of Flash (or you are unlucky enough to be hit by a zero-day flaw) it’s game over. That is precisely why Chrome and Firefox have taken such drastic measures to hobble Flash by default.

      Chrome auto-updates Flash but also is now making users explicitly enable Flash every time they want to use it. Google soon will make Chrome users go into their settings to enable it every time they want to run it.

      Firefox also forces users with the Flash add-on installed to click in order to play Flash content. Adobe will stop supporting Flash at the end of 2020.

      • Oh, how I wish that it was Flash that expired in January 2020 instead of Windows 7!

        • I was convinced that for the last few months/years flash and win7 would be in maintenance mode and only receive updates if things were really burning: Which software firm (and which employe there) does enthusiastically search for bugs in a program that will soon be dropped from support, anyway?
          Since there still are security updates I was at least partially wrong.

          • Free support for Windows 7 ends on 14 January 2020. Business/professional support will be available for a fee for (I think) another 3 years. The kinds of extensions provided after XP’s “drop-dead” date are unlikely.

  5. In case anyone else has trouble with the July rollup failing to install on an otherwise new installation (yeah, yeah, go yell at management), try installing the June 2019 rollup first. I kicked off 2GB in updates on Monday but forgot this was going to be patch tuesday so it’s been a bit of a pain getting this bugger working. Both .msu files are available from the microsoft update catalog, I just googled to find the technote about the respective rollup which links to the appropriate search on microsoft update catalog. Once they’re downloaded just call the june (and, after rebooting, july) .msu from an elevated command prompt for less drama and you should be set.

  6. This update totally trashed my PC. It didn’t seem to update properly the first time I ran the update. When I ran the update process again then it seemed to pick up where it left off. Then, upon reboot Windows wouldn’t load at all. Thankfully I back up my machines faithfully. Had to restore my machine to last night’s backup.
    Thanks loads MS.

    • Same thing happened, had it fail a couple times then when it finally finished I had video card issues losing my dual screens then the blue screen which led me to uninstalling latest updates.. Now I just have to avoid the forced update and restart.

  7. Anyone else experiencing “Not Responding” from Windows Explorer after this update?

    • I sporadically experience “not responding” from Windows Explorer for about a year now. But they aren’t too frequent and I don’t seem to be able to find how to trigger them.

    • I have the same problem with a number of users, including my own pc. They were all up to date before hand and took last months (July 2019) update and IE suddenly decides it will start but won’t load any page or go any further. You can try it 20 times and get nothing or maybe in 5 minutes or 5 hours it will decide it wants to work. Sometimes you get a page asking you to Choose your search engine, choose your news source and choose your browser. I have been unable to find a fix that reliably resolves this.

  8. the cumulative KB4507435 have a bug with the nvidia drivers according reddit forum

  9. ChrisSuperPogi

    From another view: MS-ISAC released a similar notification email with this guidance:

    RISK:

    Government:

    Large and medium government entities: High
    Small government entities: Medium

    Businesses:

    Large and medium government entities: High
    Small government entities: Medium

    Home users: Low

    Of course, Home users should patch nonetheless!

  10. AskWoody is reporting that supposedly security-only KB4507456 for Win7 is being delivered as part of a telemetry package to induce OS upgrading prior to the end-date for regular support next year. My Win7U machine didn’t get it, but that doesn’t mean it won’t be pushed out to it at some point.

  11. Two thoughts/questions. One, why are there so many vulnerabilities being found in software nowadays? Is it because the software is so poorly designed with a lack of insight to security? Or is it just poor programming techniques? Two, do all of these updates start to bog down the system? How much larger is Windows 10 today than it was when it was released? Anyone have any idea?

    • I’ll bite. Firstly, there are a lot more people looking for them than ever before. There is name recognition and acknowledgement involved in finding and reporting these, and some companies offer financial incentives or rewards for reporting serious bugs.

      Also, traditionally companies that produce software have focused on shipping new features with future updates, but this often introduces new vulnerabilities in the process.

      I don’t have any idea about the Win 10 question.

    • Brian’s comment made me think of something. Many of the vulnerabilities being found, are found in older DLLs/libraries that are linked into newer code. Those older libraries were written with little regard to security.

      Also, Brian made me think of a phrase I’ve often coined: “Be the first to market, fix the problems later”. We live in a Capitalist nation where being the first to market/or better marketing is keen in a battle of technology. Think Beta vs VHS, HD-DVD vs Blu-Ray. When I was a Software Engineer, the marketing department was constantly getting on us to release a product before it was ready just so they could start selling it to clients. We were told that original features and fixes could be added later.

      • VHS vs Beta was won on size alone, not quality or bugs.

        Stores could fit more movie titles on their shelves to rent out smaller VHS tape cassettes, than with the larger Beta cassettes. Shipping more titles per box was easier with VHS, also because of size. So, despite being better quality in audio and video, Beta lost the war.

        • It is true that the early Beta tapes could only hold 1 hour of video while VHS could hold 2 hours, thus a movie would take twice the space on the shelf. The actual Beta cartridge is smaller than VHS though. Later versions of Beta could hold 2 hours and compete with VHS for duration and shelf space. The Beta machines, because of better quality, were more expensive than VHS machines, so that didn’t help Beta in any way. Ultimately though, JVC licensed VHS to others quicker, particularly with the rental shops, than what Sony did for its Beta. VHS tapes outnumbered Beta on the shelves at rental stores and in stores, and that is what I remember. That mass marketing/production was what won VHS the battle, despite that the Betamax was introduced first. Sony learned a lesson from that when their Blu-Ray tech went up against HD-DVD. I agree with you that Beta was the superior quality.

  12. Patricia Cipolla

    after trying to install updates from july 9, my computer was stuck at 64 % and then when it rebooted it said I had never installed any updates to my computer ever, it wiped out all my updates.

  13. Mr. Krebs,

    About CVE-2019-0865 (SymCrypt vulnerability): the bulletin only shows Windows 10, Windows Server 2019 and a couple of Server Core editions as affected OS. May I ask your source or reference for Windows 8 also being affected?

    A few weeks ago, I was also under the impression it affected more OS, older ones, but the bulletin says otherwise. I am trying to determine if older OS are still affected or not.

    Sincerely,
    Jose

  14. Does anyone else have problem with KB4507435 (Windows 10 version 1803 ) ?

    I updated using the patch from Microsoft Update Catalog, but every time I finished installing, after reboot I got the error message:

    “Failure configuring Windows updates. Reverting changes.”

    • I allowed a restart from the automatic update rather than a manual one, but otherwise it was the same here (with the same Windows version). Tried only once and have postponed the next automatic restart to next week for now.

    • EXACT same results! Windows 10.
      Never had Update problem before
      on any of the previous Updates.
      Something is wrong at MS
      Hope they correct it before my
      my OS blows up
      Ugh. Sloppy. Careless

  15. After the update, Outlook stopped working. Message 1 says that there are Exchange files missing, message 2 that it is low in critical resources.

  16. For the first time I remember, Windows 7 64 bit did a forced install of this update. I had left it in sleep mode, and was going to install it today, but the history showed it did it automatically.

  17. Does anyone know of a good community for assisting business transition to primarily Linux ecosystem? We’ve got several clients that are done with the Microsoft game and looking for alternatives. I know I’ve seen many say that it is too difficult, but there are recent cases of governments and large organizations making the switch due to licensing and other factors.

    • All operating systems require updates, including Linux. Switch if you think it’ll make you happy, but be prepared when the neighbor’s cow gives the same milk as yours.

    • You’re going to get a lot of “Linux haz prolemz too!” comments from Windows fanbois, but there are enterprise-level options.

      Canonical sells services to implement an enterprise-level Linux deployment, based on Ubuntu. This covers clients to servers to cloud. Check out “Ubuntu Advantage”.

      Red Hat Linux was just purchased by IBM, but RH have historically had the largest penetration in the enterprise space. Their current offerings are more focused server-side. What comes out of the IBM ownership should be interesting.

      SUSE Linux is also an enterprise Linux provider, but also is focused server-side.

      IF your customers can live without MS Office as their primary set of work & communication tools OR if you can wean your customers off it, then it’s possible.

      You will need to calculate ROI very carefully as your staff will be more expensive: You will need *nix experts for support and your users will have to be able to adapt their methods and processes to a different environment. However, their productivity should improve as they adapt.

      If nothing else, an enterprise customer that sets up a lab to “test out Linux in the enterprise” can at least count on some excellent discounts on their MS software costs when Microsoft finds out what they are doing.

      • RedHat is pretty awesome! When I worked as a Storage Support Engineer, the vast majority of our clients used RedHat. We had a ton use CentOS too (because it’s free) and they had very little complaints. RedHat/CentOS were actually the OS’s we had the least amount of problems with. Windows, on the other hand, was a nightmare to troubleshoot with the Storage Systems we used – especially if they used iSCSI (*shivers*).

        Not to mention we had very limited troubleshooting due to Microsoft licensing – which means we had to reach out to Microsoft for a lot of problems, even small, easy-to-fix ones. In my experience, their customer support is not that great either. “I need to escalate this to my subject matter expert” was their favorite saying. They aren’t very helpful and it made a lot of angry customers on conference calls with us, Microsoft, and the clients. Fun times.

    • I’ve been at some organizations that are using CentOS (alternative to RedHat Linux), Debian, BSD (any flavor), Ubuntu

  18. Not sure what update installed yesterday but when I now log in with my account it goes to the public desktop – basic Windows screen with a few icons. I can go to users and see my account with all my docs etc. but why am I no longer logging into my account using my PIN?

  19. Asus Win10 Laptop

    Ran the update last night and it crashed my OS (non-responsive to keyboard shortcuts). Actually got to see my first Win10 blue screen. BSOD indicated the power driver locked up.

    Have to use the laptop for a gig tonight, really hoping I won’t be restoring from backup immediately prior to needing it working properly.

  20. Nice article! Seems like quite a large round of security fixes and I don’t see these numbers going down unfortunately.

    I also noticed this, post says July 19th, you must be from the future!
    https://i.imgur.com/CxXwUnJ.png

  21. Win 7 SP1 Ultimate 64bit Generic Desktop – Works Fine

  22. After KB4507435, my entire system is flipping out. Most of my browsers don’t work properly anymore (eg can’t download images from web), my Word, Excel were removed, and after restoring them they don’t start up, same for Adobe Reader, my Windows Explorer doesn’t do anything anymore and the buttons to remove the updates are grayed out.
    Afraid I will have to do a full reboot. Sigh.

  23. Interesting one yesterday. Have to go back and check all my previous settings. Had to turn on my mainset for a change, to check my other email accounts, and win 10 told me, updates were available. That was 10 o’clock. In the am, so I let it proceed. Well, got to do that today. It finished updating and installing about 6 pm. It even changed the position on the boot loader, not nice. Well, now a proud user of 1903. Whoppy. Now have to reinstall my Nvidia drivers, refund my touchscreen drivers, and see if everything else works, durn.
    About business and Linux. I’d look at red hat first. A fairly stable version. Business orientated. Yes, they update, but, you can choose the updates, and when to update. It’s not a force you to update, you can still pick up email and do a job, with the update button notification still open. With win 10, it shut off my communications, and updated. Of course that’s not the first time I’ve seen that, my unlucky insurance agent found that out one day, it even disconnected him from his company’s hotspot till the update installed. Luckily I had the coffee pot on. Great talk.

  24. Thanks for this nice article BrianKrebs!

  25. My laptop has been updating for over an hour but it says updating your system (100 percent)…. Why is it taking so long and what should I do

  26. IME, the “progress bar” or “count down/up timer” for Windows updates is not an accurate representation of what is going on. Often Windows will say 35% done, when it’s actually completely done, or perhaps hasn’t even started yet. My advice on installing updates is to just “let it rip” and perhaps reboot the next day. I think a lot of update problems stem from people who are impatient and start thrashing about wildly while trying to show their computers “who’s the boss”.

  27. Brian, would you and others suggest that the non-IT person (me) not mess around with trying to stop Windows 10 from updating automatically? I recently purchased a new computer so I am dealing for the first time with Windows 10. With Windows 7, I took your advice and had the Windows updates set to not install automatically. I would wait a few days and then do a back-up before the install. But I don’t know enough about computers to feel comfortable dealing with something I don’t really understand.

  28. Add me to the list of MacroShaft victims. When my machine restarted, a message popped up saying: “Setting up personalized settings for Microsoft Windows Media player.” WTF? I never use the Media player intentionally, but once in a while I click on an MP3 filename accidentally. For sure, I’ve never tried to change its settings.
    After about 5-10 minutes, I got tired of waiting for the “setting up” to complete; I powered-down and powered-up again. This time Windows 7 64-bit seemed OK until I tried to open Excel. Then I got a message saying that Excel couldn’t or wouldn’t run — not that a spreadsheet was corrupted, but that Excel couldn’t get to the point where it would even try to open one!
    I must have had a premonition, because I don’t usually do a system backup before a Windows update – but I had done it this time, thank God. So now the machine is back to normal. My advice is – in addition to waiting for the latest updates to “ripen” before installing them, so to speak – ALWAYS do a system backup before you install. And yes, zap the “automatic install” setting!

    • I updated 3 win 7 PCs, a Dell 2120 was hung at the ‘do not turn off’ message for over an hour, then slowly came back to life. The other 2 went fine.

      A win10 netbook with a 32 gig SSD says it needs 5 gigs free to update but it only has 3. My programs are on the micro SD card so I haven’t found a way to clear up enough space from a standard mfg install with nothing out of the ordinary to take up space on C.

  29. I’ve had 3 computers either load to black screen or get stuck on the white dots circling on our domain with this July CU. (Windows 10, 1903)
    Haven’t seen many other people posting about this. Not sure what the issue is – I’ve restored back a total of 4 times, installed latest SSU, installed the CU manually, no dice.

  30. After installing 1903,which went fine ,patch Tuesday was next,though Windows refused to load after,so ultimately I had to reinstall 1903,which got everything back ok.In over 10 years this is the first time I have ever had problems with a monthly update….