Source: HP

Microsoft has rolled out its July 2019 Patch Tuesday cumulative updates for services. This is a bumper edition of the monthly rollup. Indeed, a total of 77 vulnerabilities have been fixed in this release, across services such as Office, Windows, SQL, and more.

As well as those 77 vulnerability fixes, Microsoft has issued fixes for two zero-day flaws that it says were exploited in the wild.

First of those zero-day vulnerabilities has been coded as CVE-2019-0880 and is described as an elevation of privilege bug. This flaw was widespread, occurring across Windows Server 2012, 2016, and 2019, as well as Windows 8.1 and Windows 10.

Microsoft rated the bug as “important” in its severity rating and says attacks could allow bad actors to gain access to a system.

“A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity.

“This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted,” Microsoft’s note says.

Windows 7 Vulnerability

Next up is another zero-day that exploited a flaw in Windows 7 and Windows Server 2008. Microsoft details this flaw in its notes for CVE-2019-1132, describing it as a Win32 elevation of privilege vulnerability.

“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the company explains.

It is worth noting an attacker would need local access and the ability to log on to a system to exploit this flaw.