Vulnerabilities / Threats

8/9/2017
11:48 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft Fixes 27 Remote Code Execution Flaws

Microsoft issued patches for 48 vulnerabilities as part of its monthly Patch Tuesday update, 25 of which were 'critical.'

Microsoft released fixes for 48 vulnerabilities as part of its August Patch Tuesday update. Fifteen affect Windows, 25 were rated as critical, 21 as important, and 27 could result in remote code execution if exploited.

These patches address problems in Windows, Internet Explorer, Microsoft Edge, SharePoint, SQL Server, Hyper-V, the subsystem for Linux, and Kernel. Two affect all supported versions of Windows, including all editions of Windows 10 and Windows Server. Microsoft said that none of the bugs are being exploited in the wild.

Experts suggest prioritizing CVE-2017-8620, a vulnerability in Windows Search that can be exploited remotely via SMB to take over a system, affecting workstations and servers. The bug is not within SMB and unrelated to flaws used in WannaCry and NotPetya.

The vulnerability exists when Windows Search handles objects in memory, Microsoft reports in an advisory. An attacker could exploit the flaw by sending specially crafted messages to Windows Search. Those with access to a target device could elevate privileges and install programs; view, change, or delete data; or create new accounts with full user privileges.

"This is by far the most critical bug for this month," says Dustin Childs at the Zero Day Initiative, which reports CVE-2017-8620 is "under active attack." A previous Search flaw also allowed a malicious SMB request to execute code on target machines.

"As with the previous Search flaw, within an enterprise, an attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer," he adds. "That's pretty close to wormable and just the sort of thing malware writers look for in a bug."

Childs also advises prioritizing CVE-2017-8664, a Windows Hyper-V Remote Code Execution Vulnerability. On a host server, Hyper-V does not properly validate input from authenticated users on guest operating systems, he explains.

While this flaw is neither publically known nor actively exploited, and is rated "important," Childs says it warrants attention because an attacker on a guest OS could use it to escape and launch code on the underlying hypervisor.

Multiple vulnerabilities addressed in Microsoft's August release involve the Scripting Engine, which affects both Microsoft Office and browsers and should be prioritized for workstations running email and using the Internet through a browser, says Jimmy Graham, director of product management at Qualys.

"Also of note is a vulnerability in the Windows Font Engine, CVE-2017-8691," Graham adds. "This vulnerability can also be exploited through a browser. For systems running Windows 10 and Microsoft Edge, CVE-2017-0293 impacts the PDF viewer functionality."

All of this month's Windows updates have a public disclosure in common, reports Iventi product manager Chris Goettl. CVE-2017-8633, a flaw in Windows Error Reporting, could allow a privilege escalation exploit. An attacker could launch a specially crafted application to cause an error, which would let them increase their privileges to access information and functionalities.

Windows 10 has another public disclosure in CVE-2017-8627, a bug in the Windows Subsystem for Linux that could enable a denial-of-service attack. An attacker could fun a specially crafted file to launch a DoS attack against the local system.

Adobe has also released patches for 67 vulnerabilities, 43 of which are rated Critical. Most of the vulnerabilities are for Adobe Acrobat and Reader. Two flaws were fixed in Adobe Flash; one was labeled Critical. Microsoft released a version of the Adobe patch for Flash in Internet Explorer; it plans to end support for Flash by the end of 2020.

Microsoft patches released this week do not protect against SMBLoris attacks, which involve denial-of-service attacks against Windows systems running any version of SMB and Samba.

"It is recommended that systems exposed to the Internet do not have port 445 open, and that all systems that may be connected to untrusted networks leverage a local firewall to prevent access to port 445," Graham advises businesses to protect against SMBLoris.

Goettl recommends businesses focus on updates for the OS, Flash, Reader, and browsers. There are several Critical vulnerabilities resolved here, he says, and the public disclosures in OS updates give attackers a head start on developing an exploit.

"As the first half of 2017 has shown us, time is a significant variable in defending our environments against cyber threats," he notes. "The quicker we can plug critical vulnerabilities the lower our overall risk will be."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
WSJ Report: Facebook Breach the Work of Spammers, Not Nation-State Actors
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/19/2018
4 Ways to Fight the Email Security Threat
Asaf Cidon, Vice President, Content Security Services, at Barracuda Networks,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.