This month sees Microsoft patch two zero-day vulnerabilities in Windows, an issue that may cause BitLocker to go into recovery mode, and the usual list of important and critical flaws for other products.
Windows 10 and Windows Server 2016/2019
Out of this month’s two zero-days, only one affects Windows 10. A local elevation of privilege (EOP) vulnerability (CVE-2019-0880) in splwow64.exe could allow an attacker to elevate privileges on an affected system from low-integrity to medium-integrity. Microsoft says that this bug by itself doesn’t allow anyone who exploits it to run arbitrary code but in conjunction with another vulnerability, like a remote code execution (RCE) or other EOP flaw, it might be possible.
There’s one critical RCE flaw (CVE-2019-1102) patched in the way the Windows Graphics Device Interface (GDI) handles objects in memory. It could let an attacker install programs or change data with full user rights. So, users configured with few user rights are at less risk than those with administrative privileges. The attack could manifest itself if a user visits a specially crafted website or opens an infected file.
There are 13 important EOP and 11 RCE flaws patched as part of the cumulative update. Additionally, Microsoft patched 11 critical RCE flaws in Internet Explorer 11 and Microsoft Edge, including scripting engine and browser memory corruption vulnerabilities. There’s also a servicing stack update (SSU) for Windows 10 (KB4509096), which is also available for older versions of Windows. It fixes an issue with a Secure Boot feature update that may cause BitLocker to go into recovery mode because of a race condition.
Windows 7, 8, and Windows Server 2008 R2
The second zero-day this month (CVE-2019-1132) affects Windows 7 Service Pack 1 and Windows Server 2008 and 2008 R2, and it’s rated critical. It’s an EOP flaw in the Win32k component that fails to properly handle objects in memory. If successfully exploited, an attacker could launch arbitrary code in kernel mode and then install programs and change system data with full user rights. To exploit this flaw, an attacker would need to log in to the system and then run a program designed to exploit the vulnerability.
In addition to the patched IE11 bugs that I mentioned above and the zero-day, Windows 7 SP1 receives one patch for an important RCE in Remote Desktop Services (RDS) and 6 patches for important EOP bugs. Windows Server 2008 R2 gets the same patches, including the important RCE for RDS and 13 rated important for information disclosure.
Microsoft Exchange and SharePoint
Exchange Server 2010, 2013, and 2016 get an important EOP patch (CVE-2019-1136) that could allow an attacker to gain the same rights as an Exchange user, potentially allowing them to perform activities, like accessing other users’ mailboxes. This flaw can only be exploited when Exchange Web Services (EWS) is enabled. Microsoft changed the way EWS handles NTLM tokens to fix the issue. A cross-site-scripting spoofing vulnerability (CVE-2019-1137) affects Exchange 2013, 2016, and 2019; and finally, there’s an information disclosure vulnerability where Exchange allows the creation of entities with Display Names having non-printable characters that affects all versions of Exchange, Lync, Office, Office 365, Outlook, and Skype for Business.
All versions of SharePoint are patched for a WCF/WIF SAML token authentication bypass vulnerability (CVE-2019-1006) that could let an attacker impersonate another user, potentially leading to elevation of privilege. It’s rated important.
Office 365 ProPlus and Microsoft Office get patches for two important RCEs, both of which correct how Excel handles objects in memory. The flaw would require a user to open a specially crafted file. Standard users would be less impacted than those with administrative privileges.
Unusually this month there are no security patches for Flash Player or Acrobat Reader.