Yesterday, Microsoft published its monthly roll-up of security updates known as Patch Tuesday. This month, the company patched 77 vulnerabilities, including two zero-days — security flaws that were being actively exploited in the wild. The two zero-days are CVE-2019-0880 and CVE-2019-1132, and both are privilege escalation issues. They don’t allow hackers to take over users’ computers remotely, but are used after the hacker has gained access to a system to elevate access rights to a high-privileged account.
Satnam Narang, Senior Research Engineer at Tenable:
“This month’s Patch Tuesday release contains updates for nearly 80 CVEs, including fixes to address two zero-day vulnerabilities (CVE-2019-1132, CVE-2019-0880) exploited in the wild as well as six other zero-days.
CVE-2019-1132 is an elevation of privilege vulnerability that enables improper handling of objects in memory by a Win32k component. Successful exploitation could result in arbitrary code execution in kernel mode, which is typically reserved for trusted functions of the operating system. An attacker would first need to establish a presence on a target system in order to exploit this vulnerability and gain elevated privileges.
CVE-2019-0880 is an elevation of privilege vulnerability in splwow64.exe. According to the advisory, the vulnerability could be combined with a remote code execution or a separate elevation of privilege vulnerability to gain arbitrary code execution. Because it was exploited in the wild, it is likely it was paired with another vulnerability, but those details are not currently available.
CVE-2019-0865 is a denial of service vulnerability in SymCrypt, the cryptographic library used to handle cryptographic functions on Windows. Using a specially-crafted digital signature, an attacker could exploit this flaw by embedding the signature in a message or as part of a secure connection request. This vulnerability was publicly disclosed in June by Google Project Zero researcher Tavis Ormandy.
CVE-2019-0887 is a remote code execution vulnerability in Remote Desktop Services. Exploitation of this vulnerability could result in arbitrary code execution, but requires an attacker to have already compromised a target system. This vulnerability was first published in a blog on Reverse RDP attacks in February 2019 which included one CVE that did not receive a CVE-ID.”