Vulnerabilities / Threats

8/9/2017
11:48 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft Fixes 27 Remote Code Execution Flaws

Microsoft issued patches for 48 vulnerabilities as part of its monthly Patch Tuesday update, 25 of which were 'critical.'

Microsoft released fixes for 48 vulnerabilities as part of its August Patch Tuesday update. Fifteen affect Windows, 25 were rated as critical, 21 as important, and 27 could result in remote code execution if exploited.

These patches address problems in Windows, Internet Explorer, Microsoft Edge, SharePoint, SQL Server, Hyper-V, the subsystem for Linux, and Kernel. Two affect all supported versions of Windows, including all editions of Windows 10 and Windows Server. Microsoft said that none of the bugs are being exploited in the wild.

Experts suggest prioritizing CVE-2017-8620, a vulnerability in Windows Search that can be exploited remotely via SMB to take over a system, affecting workstations and servers. The bug is not within SMB and unrelated to flaws used in WannaCry and NotPetya.

The vulnerability exists when Windows Search handles objects in memory, Microsoft reports in an advisory. An attacker could exploit the flaw by sending specially crafted messages to Windows Search. Those with access to a target device could elevate privileges and install programs; view, change, or delete data; or create new accounts with full user privileges.

"This is by far the most critical bug for this month," says Dustin Childs at the Zero Day Initiative, which reports CVE-2017-8620 is "under active attack." A previous Search flaw also allowed a malicious SMB request to execute code on target machines.

"As with the previous Search flaw, within an enterprise, an attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer," he adds. "That's pretty close to wormable and just the sort of thing malware writers look for in a bug."

Childs also advises prioritizing CVE-2017-8664, a Windows Hyper-V Remote Code Execution Vulnerability. On a host server, Hyper-V does not properly validate input from authenticated users on guest operating systems, he explains.

While this flaw is neither publically known nor actively exploited, and is rated "important," Childs says it warrants attention because an attacker on a guest OS could use it to escape and launch code on the underlying hypervisor.

Multiple vulnerabilities addressed in Microsoft's August release involve the Scripting Engine, which affects both Microsoft Office and browsers and should be prioritized for workstations running email and using the Internet through a browser, says Jimmy Graham, director of product management at Qualys.

"Also of note is a vulnerability in the Windows Font Engine, CVE-2017-8691," Graham adds. "This vulnerability can also be exploited through a browser. For systems running Windows 10 and Microsoft Edge, CVE-2017-0293 impacts the PDF viewer functionality."

All of this month's Windows updates have a public disclosure in common, reports Iventi product manager Chris Goettl. CVE-2017-8633, a flaw in Windows Error Reporting, could allow a privilege escalation exploit. An attacker could launch a specially crafted application to cause an error, which would let them increase their privileges to access information and functionalities.

Windows 10 has another public disclosure in CVE-2017-8627, a bug in the Windows Subsystem for Linux that could enable a denial-of-service attack. An attacker could fun a specially crafted file to launch a DoS attack against the local system.

Adobe has also released patches for 67 vulnerabilities, 43 of which are rated Critical. Most of the vulnerabilities are for Adobe Acrobat and Reader. Two flaws were fixed in Adobe Flash; one was labeled Critical. Microsoft released a version of the Adobe patch for Flash in Internet Explorer; it plans to end support for Flash by the end of 2020.

Microsoft patches released this week do not protect against SMBLoris attacks, which involve denial-of-service attacks against Windows systems running any version of SMB and Samba.

"It is recommended that systems exposed to the Internet do not have port 445 open, and that all systems that may be connected to untrusted networks leverage a local firewall to prevent access to port 445," Graham advises businesses to protect against SMBLoris.

Goettl recommends businesses focus on updates for the OS, Flash, Reader, and browsers. There are several Critical vulnerabilities resolved here, he says, and the public disclosures in OS updates give attackers a head start on developing an exploit.

"As the first half of 2017 has shown us, time is a significant variable in defending our environments against cyber threats," he notes. "The quicker we can plug critical vulnerabilities the lower our overall risk will be."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
10 Ways to Protect Protocols That Aren't DNS
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10869
PUBLISHED: 2018-07-19
redhat-certification does not properly restrict files that can be download through the /download page. A remote attacker may download any file accessible by the user running httpd.
CVE-2018-10870
PUBLISHED: 2018-07-19
redhat-certification does not properly sanitize paths in rhcertStore.py:__saveResultsFile. A remote attacker could use this flaw to overwrite any file, potentially gaining remote code execution.
CVE-2018-12959
PUBLISHED: 2018-07-19
The approveAndCall function of a smart contract implementation for Aditus (ADI), an Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer all contract balances into their account).
CVE-2018-14336
PUBLISHED: 2018-07-19
TP-Link WR840N devices allow remote attackers to cause a denial of service (connectivity loss) via a series of packets with random MAC addresses.
CVE-2018-10620
PUBLISHED: 2018-07-19
AVEVA InduSoft Web Studio v8.1 and v8.1SP1, and InTouch Machine Edition v2017 8.1 and v2017 8.1 SP1 a remote user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code t...