• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Exploits   »   July’s Patch Tuesday Fixes Critical Flaws in Microsoft Edge and Internet Explorer, Including 2 Exploited Vulnerabilities

July’s Patch Tuesday Fixes Critical Flaws in Microsoft Edge and Internet Explorer, Including 2 Exploited Vulnerabilities

  • Posted on:July 9, 2019 at 3:45 pm
  • Posted in:Exploits, Vulnerabilities
  • Author:
    Trend Micro
0

It’s time to get vulnerable installations patched. Microsoft’s July Patch Tuesday release includes updates for almost 80 vulnerabilities, along with two advisories. Critical patches covered in the release include fixes for Windows DHCP Server, Azure DevOps Server and Team Foundation Server, and .NET Framework, namely assigned as CVE-2019-0785, CVE-2019-1072, and CVE-2019-1113. Other flaws in Azure Automation, Docker, DirectWrite, DirectX, SymCrypt, Windows DNS Server, and Windows GDI have also been resolved. Elevation of privilege vulnerabilities in Microsoft splwow64 (CVE-2019-0880) and Win32k (CVE-2019-1132), which were reported as being exploited, have also been patched.

Here’s a look at some of the noteworthy patches for this month, covering Critical-rated vulnerabilities:

CVE-2019-1107 is a remote code execution (RCE) vulnerability in the Chakra scripting engine and how it handles objects in memory in Microsoft Edge. An attacker who successfully takes advantage of this vulnerability can gain the same user rights as the current user and execute arbitrary code on the affected system. Successfully exploiting this vulnerability also allows an attacker to install programs, modify data, and create new accounts with full user rights on the affected system.

CVE-2019-1063 is an RCE vulnerability in Internet Explorer, which improperly accesses objects in memory. An attacker can take control of an affected system if the current user is logged on with administrative user rights. To exploit the vulnerability, an attacker can trick a user into viewing a specially crafted website through an email, email attachment, or instant message.

CVE-2019-1004 is an RCE vulnerability affecting Internet Explorer and how the scripting engine handles objects in memory. An attacker can host a specially crafted website designed to exploit the vulnerability via Internet Explorer and trick a user to view the said website. An attacker can also embed an ActiveX control marked “safe for initialization” in an application or a Microsoft Office document that hosts the IE rendering engine.

CVE-2019-1104 is an RCE vulnerability that exists in the way Microsoft browsers access objects in memory. Aside from executing arbitrary code in the context of the current user, an attacker can also design a website that exploits the vulnerability through Microsoft browsers, take advantage of compromised websites by adding specially crafted content, or use social engineering to trick users into viewing attacker-controlled content in emails or instant messages.

The July security bulletin also includes updates for the denial of service (DoS) vulnerability in Linux kernel TCP SACK (ADV190020) and three flaws in Adobe (notably none for Adobe Flash or Acrobat Reader), particularly in Bridge CC, Experience Manager, and Dreamweaver. The release also includes fixes for a number of addressed information disclosure vulnerabilities in DirectWrite, Microsoft Exchange, Microsoft Visual Studio, Windows GDI, and Windows kernel.

Users with affected installations are advised to prioritize the updates in order to avoid possible system exploitation through unpatched vulnerabilities. The Trend Micro™ Deep Security™ and Vulnerability Protection solutions also protect systems and users from threats targeting the vulnerabilities included in this month’s Patch Tuesday release via the following Deep Packet Inspection (DPI) rules:

Rule Description Vulnerability
1009834 Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability CVE-2019-1107
1009835 Microsoft Excel Information Disclosure Vulnerability CVE-2019-1112
1009836 Microsoft Internet Explorer Memory Corruption Vulnerability CVE-2019-1063
1009837 Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability CVE-2019-1004
1009838 Microsoft Internet Explorer And Edge Memory Corruption Vulnerability CVE-2019-1104
1009839 Microsoft Internet Explorer And Edge Scripting Engine Memory Corruption Vulnerability CVE-2019-1001
1009840 Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability CVE-2019-1103
1009841 Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability CVE-2019-1106
1009842 Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability CVE-2019-1092
1009843 Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability CVE-2019-1062

Trend Micro™ TippingPoint® customers are protected from threats and attacks that may exploit this month’s list of vulnerabilities via these MainlineDV filters:

  • 35658: HTTP: Microsoft Internet Explorer Type Confusion Vulnerability
  • 35659: HTTP: Microsoft Windows Scripting Engine Use-After-Free Vulnerability
  • 35660: HTTP: Microsoft Edge JIT Type Confusion Vulnerability
  • 35661: HTTP: Microsoft Internet Explorer Type Confusion Vulnerability
  • 35666: HTTP: Microsoft Edge Chakra Scripting Engine Out-of-Bounds Write Vulnerability
  • 35667: HTTP: Microsoft Edge JIT Type Confusion Vulnerability
  • 35668: HTTP: Microsoft Internet Explorer Type Confusion Vulnerability
  • 35669: HTTP: Microsoft Edge JIT Object.prototype Out-of-Bounds Write Vulnerability
  • 35670: HTTP: Microsoft Edge JIT Type Confusion Vulnerability

Updated as of July 9, 2019 at 9:37 p.m. PDT to tweak headline and add details on the patches (numbers, concerned platforms, and direct links)

Related posts:

  • February Patch Tuesday: Fixes for Critical LNK, RDP, Trident Vulnerabilities
  • May Patch Tuesday: More Fixes for SharePoint, TLS, Runtime, and Graphic Components Released
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: Patch Tuesday

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.