Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/9/2017
11:48 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Microsoft Fixes 27 Remote Code Execution Flaws

Microsoft issued patches for 48 vulnerabilities as part of its monthly Patch Tuesday update, 25 of which were 'critical.'

Microsoft released fixes for 48 vulnerabilities as part of its August Patch Tuesday update. Fifteen affect Windows, 25 were rated as critical, 21 as important, and 27 could result in remote code execution if exploited.

These patches address problems in Windows, Internet Explorer, Microsoft Edge, SharePoint, SQL Server, Hyper-V, the subsystem for Linux, and Kernel. Two affect all supported versions of Windows, including all editions of Windows 10 and Windows Server. Microsoft said that none of the bugs are being exploited in the wild.

Experts suggest prioritizing CVE-2017-8620, a vulnerability in Windows Search that can be exploited remotely via SMB to take over a system, affecting workstations and servers. The bug is not within SMB and unrelated to flaws used in WannaCry and NotPetya.

The vulnerability exists when Windows Search handles objects in memory, Microsoft reports in an advisory. An attacker could exploit the flaw by sending specially crafted messages to Windows Search. Those with access to a target device could elevate privileges and install programs; view, change, or delete data; or create new accounts with full user privileges.

"This is by far the most critical bug for this month," says Dustin Childs at the Zero Day Initiative, which reports CVE-2017-8620 is "under active attack." A previous Search flaw also allowed a malicious SMB request to execute code on target machines.

"As with the previous Search flaw, within an enterprise, an attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer," he adds. "That's pretty close to wormable and just the sort of thing malware writers look for in a bug."

Childs also advises prioritizing CVE-2017-8664, a Windows Hyper-V Remote Code Execution Vulnerability. On a host server, Hyper-V does not properly validate input from authenticated users on guest operating systems, he explains.

While this flaw is neither publically known nor actively exploited, and is rated "important," Childs says it warrants attention because an attacker on a guest OS could use it to escape and launch code on the underlying hypervisor.

Multiple vulnerabilities addressed in Microsoft's August release involve the Scripting Engine, which affects both Microsoft Office and browsers and should be prioritized for workstations running email and using the Internet through a browser, says Jimmy Graham, director of product management at Qualys.

"Also of note is a vulnerability in the Windows Font Engine, CVE-2017-8691," Graham adds. "This vulnerability can also be exploited through a browser. For systems running Windows 10 and Microsoft Edge, CVE-2017-0293 impacts the PDF viewer functionality."

All of this month's Windows updates have a public disclosure in common, reports Iventi product manager Chris Goettl. CVE-2017-8633, a flaw in Windows Error Reporting, could allow a privilege escalation exploit. An attacker could launch a specially crafted application to cause an error, which would let them increase their privileges to access information and functionalities.

Windows 10 has another public disclosure in CVE-2017-8627, a bug in the Windows Subsystem for Linux that could enable a denial-of-service attack. An attacker could fun a specially crafted file to launch a DoS attack against the local system.

Adobe has also released patches for 67 vulnerabilities, 43 of which are rated Critical. Most of the vulnerabilities are for Adobe Acrobat and Reader. Two flaws were fixed in Adobe Flash; one was labeled Critical. Microsoft released a version of the Adobe patch for Flash in Internet Explorer; it plans to end support for Flash by the end of 2020.

Microsoft patches released this week do not protect against SMBLoris attacks, which involve denial-of-service attacks against Windows systems running any version of SMB and Samba.

"It is recommended that systems exposed to the Internet do not have port 445 open, and that all systems that may be connected to untrusted networks leverage a local firewall to prevent access to port 445," Graham advises businesses to protect against SMBLoris.

Goettl recommends businesses focus on updates for the OS, Flash, Reader, and browsers. There are several Critical vulnerabilities resolved here, he says, and the public disclosures in OS updates give attackers a head start on developing an exploit.

"As the first half of 2017 has shown us, time is a significant variable in defending our environments against cyber threats," he notes. "The quicker we can plug critical vulnerabilities the lower our overall risk will be."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I can't find the back door.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21275
PUBLISHED: 2021-01-25
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of Medi...
CVE-2021-21272
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the ...
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting