Microsoft Patches Two Zero Day Vulnerabilities
Microsoft has addressed 77 vulnerabilities in its July Patch Tuesday update, with 15 of them rated as critical and two known to be under active exploit. Eleven of the critical bugs are for scripting engines and browsers, and the four others affect the DHCP Server, GDI+, the .NET Framework and the Azure DevOps Server/Team Foundation Server. Scripting engine, browser, GDI+, and .NET Framework patches should be prioritized for workstations, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
The Microsoft ChakraCore Scripting Engine, Internet Explorer 11 and Microsoft Edge all have a memory corruption vulnerability in their scripting engine detailed in CVE-2019-1001 that could lead to RCE. The vulnerability exists in the way that the memory handles objects in memory and successful exploitation could allow an attacker to execute arbitrary code. It is almost expected to find a monthly memory corruption vulnerability in the scripting engine Microsoft browsers, as it is still a prime target for attackers who weaponize these vulnerabilities quickly.
On the server side, the DHCP Server bug, CVE-2019-0785, is a remote code-execution ( RCE ) flaw that exists when the server is configured for failover. A hacker with network access to the failover DHCP server could run arbitrary code. It affects all versions of Windows Server from 2012 to 2019. One of the most critical vulnerabilities this month is present in Microsoft DHCP Server. This memory corruption vulnerability allows a hacker to send a specially crafted packet to a DHCP server and, if successful, execute arbitrary code.
Azure DevOps Server/Team Foundation Server Azure DevOps Server and Team Foundations Server ( TFS ) are affected by a RCE vulnerability, CVE-2019-1072, that can be exploited through malicious file uploads. Anyone who can upload a file can run code in the context of the Azure DevOps/TFS account. This includes anonymous users if the server is configured to allow it. This patch should be prioritized for any Azure DevOps or TFS installations. Researchers noted that successful exploits of this vulnerability require the targeted project to allow anonymous file submissions. f an attacker submitted a specially crafted file to the target project as an anonymous user, they would be able to execute arbitrary code on the target server. Azure has not been a big target for exploitation in the past, but this is a vulnerability that should be quickly patched due to the ease with which this vulnerability could be exploited at scale.