Patch Tuesday Lowdown, July 2019 edition – Krebs on security

[ad_1]

Microsoft today released software updates to fill nearly 80 security flaws in its the Windows operating systems and associated software. Among these are patches for two zero-day vulnerabilities that are actively exploited in nature, and patches for removing four other bugs that have been publicly detailed before today, potentially giving attackers a length of time. On how to use them for harmful purposes. .

For the moment, the zeros and the anomalies revealed publicly are apart, probably the most serious vulnerability addressed in this month's fix pack (at least for the companies) resides again in the Windows component responsible for the Automatic assignment of Internet addresses to host computers – a function called the "Windows DHCP Server. "

DHCP Vulnerability (CVE-2019-0785) exists in most supported Windows server versions, starting from Windows Server 2012 through 2019 server.

Microsoft has stated that an unauthenticated attacker could use the DHCP flaw to take total remote control of vulnerable systems, simply by sending a specially crafted data packet to a Windows computer. For those who matter, it's the fifth time this year that Redmond fixes such a critical flaw in the Windows DHCP client.

In total, only 15 of the 77 vulnerabilities corrected today have earned Microsoft 's most critically critical, a label attributed to loopholes that malware or villains could exploit to take control of computers without it. help users, if any. It should be noted that 11 of the 15 critical vulnerabilities are present or constitute a key component of the Windows integrated browsers, namely: Edge and l & # 39; Internet Exploder Explorer.

One of the zero day crashes – CVE-2019-1132 – affects Windows 7 and Server 2008 systems. The other – CVE-2019-0880 – is present in Windows 8.1, Server 2012 and subsequent operating systems. Both would allow an attacker to take full control of the affected system, although this is known as an "elevation of privilege" vulnerability, which means that an attacker would already need some level of security. access to the targeted system.

CVE-2019-0865 is a denial of service bug in a Microsoft open source cryptographic library that could be used to block system resources on an affected Windows 8 computer. It was released a month ago by Google's zero project A bug-fixing operation after Microsoft failed to resolve it within the 90-day disclosure period specified by Project Zero.

CVE-2019-0887 is the other detailed remote code execution vulnerability in the previous version. Remote Desktop Services (RDP) component of Windows. However, this bug would also force an attacker to have already compromised a target system.

Fortunately, there do not appear to be any security updates for Adobe Flash Player this month.

Legal Warning: Hotfixes are important, but it's usually not a problem to wait a few days for Microsoft to fix errors in patches, which can cause stability or use problems with Windows after updating. (KrebsOnSecurity will try to update this article in the following versions). that big problems with these patches appear).

As such, it's a good idea to make a habit of backing up your system – or at least your data – before applying updates. The fact is that newer versions of Windows (eg Windows 10+) go by default and will decide for you when it should be done (often in the middle of the night). But this parameter can be changed.

If you're having trouble installing one of the patches this month, feel free to leave a comment about it here; It is more than likely that other readers have experienced the same thing and can even give useful advice.