Vulnerabilities / Threats

8/9/2017
11:48 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft Fixes 27 Remote Code Execution Flaws

Microsoft issued patches for 48 vulnerabilities as part of its monthly Patch Tuesday update, 25 of which were 'critical.'

Microsoft released fixes for 48 vulnerabilities as part of its August Patch Tuesday update. Fifteen affect Windows, 25 were rated as critical, 21 as important, and 27 could result in remote code execution if exploited.

These patches address problems in Windows, Internet Explorer, Microsoft Edge, SharePoint, SQL Server, Hyper-V, the subsystem for Linux, and Kernel. Two affect all supported versions of Windows, including all editions of Windows 10 and Windows Server. Microsoft said that none of the bugs are being exploited in the wild.

Experts suggest prioritizing CVE-2017-8620, a vulnerability in Windows Search that can be exploited remotely via SMB to take over a system, affecting workstations and servers. The bug is not within SMB and unrelated to flaws used in WannaCry and NotPetya.

The vulnerability exists when Windows Search handles objects in memory, Microsoft reports in an advisory. An attacker could exploit the flaw by sending specially crafted messages to Windows Search. Those with access to a target device could elevate privileges and install programs; view, change, or delete data; or create new accounts with full user privileges.

"This is by far the most critical bug for this month," says Dustin Childs at the Zero Day Initiative, which reports CVE-2017-8620 is "under active attack." A previous Search flaw also allowed a malicious SMB request to execute code on target machines.

"As with the previous Search flaw, within an enterprise, an attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer," he adds. "That's pretty close to wormable and just the sort of thing malware writers look for in a bug."

Childs also advises prioritizing CVE-2017-8664, a Windows Hyper-V Remote Code Execution Vulnerability. On a host server, Hyper-V does not properly validate input from authenticated users on guest operating systems, he explains.

While this flaw is neither publically known nor actively exploited, and is rated "important," Childs says it warrants attention because an attacker on a guest OS could use it to escape and launch code on the underlying hypervisor.

Multiple vulnerabilities addressed in Microsoft's August release involve the Scripting Engine, which affects both Microsoft Office and browsers and should be prioritized for workstations running email and using the Internet through a browser, says Jimmy Graham, director of product management at Qualys.

"Also of note is a vulnerability in the Windows Font Engine, CVE-2017-8691," Graham adds. "This vulnerability can also be exploited through a browser. For systems running Windows 10 and Microsoft Edge, CVE-2017-0293 impacts the PDF viewer functionality."

All of this month's Windows updates have a public disclosure in common, reports Iventi product manager Chris Goettl. CVE-2017-8633, a flaw in Windows Error Reporting, could allow a privilege escalation exploit. An attacker could launch a specially crafted application to cause an error, which would let them increase their privileges to access information and functionalities.

Windows 10 has another public disclosure in CVE-2017-8627, a bug in the Windows Subsystem for Linux that could enable a denial-of-service attack. An attacker could fun a specially crafted file to launch a DoS attack against the local system.

Adobe has also released patches for 67 vulnerabilities, 43 of which are rated Critical. Most of the vulnerabilities are for Adobe Acrobat and Reader. Two flaws were fixed in Adobe Flash; one was labeled Critical. Microsoft released a version of the Adobe patch for Flash in Internet Explorer; it plans to end support for Flash by the end of 2020.

Microsoft patches released this week do not protect against SMBLoris attacks, which involve denial-of-service attacks against Windows systems running any version of SMB and Samba.

"It is recommended that systems exposed to the Internet do not have port 445 open, and that all systems that may be connected to untrusted networks leverage a local firewall to prevent access to port 445," Graham advises businesses to protect against SMBLoris.

Goettl recommends businesses focus on updates for the OS, Flash, Reader, and browsers. There are several Critical vulnerabilities resolved here, he says, and the public disclosures in OS updates give attackers a head start on developing an exploit.

"As the first half of 2017 has shown us, time is a significant variable in defending our environments against cyber threats," he notes. "The quicker we can plug critical vulnerabilities the lower our overall risk will be."

Related Content:

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cybersecurity Must Be an International Effort
Kelly Sheridan, Associate Editor, Dark Reading,  12/6/2017
NIST Releases New Cybersecurity Framework Draft
Jai Vijayan, Freelance writer,  12/6/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.