The Microsoft August 2017 Patch Tuesday update has landed and contains patches for 48 vulnerabilities, 25 of which are for critical issues. 27 of the vulnerabilities can be exploited to achieve remote code execution, but the good news is that none of them are currently under active attack – even though some exploits are already public.
“Many of the vulnerabilities in this month’s release involve the Scripting Engine, which can impact both browsers and Microsoft Office, and should be considered for prioritizing for workstation-type systems that use email and access the internet via a browser,” says Jimmy Graham, Director of Product Management at Qualys.
“Also of note is a vulnerability in the Windows Font Engine, CVE-2017-8691. This vulnerability can also be exploited through a browser. For systems running Windows 10 and Microsoft Edge, CVE-2017-0293 impacts the PDF viewer functionality.” The latter can be exploited through a specially crafted PDF file.
CVE-2017-8620, which affects the Windows Search service, should also be patched as soon as possible, as it can be exploited remotely via SMB to take complete control of a system.
“While an exploit against this vulnerability can leverage SMB as an attack vector, this is not a vulnerability in SMB itself, and is not related to the recent SMB vulnerabilities leveraged by EternalBlue, WannaCry, and Petya,” Graham points out.
Nevertheless, it affects all supported versions of Windows, and it could end up being used to add worm-like spreading mechanisms to malware.
“To exploit the vulnerability, the attacker could send specially crafted messages to the Windows Search service. An attacker with access to a target computer could exploit this vulnerability to elevate privileges and take control of the computer. Additionally, in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer,” Microsoft explained.
For those administrators who can’t, for whatever reason, implement the patch, the advice is to temporarily disable the WSearch service.
“The patches do not include a fix for the SMBLoris attack, which is a denial of service against systems that have port 445 and the SMB client exposed. This attack can also be leveraged against Samba,” Graham added.
“It is recommended that systems that are exposed to the internet do not have port 445 open, and that all systems that may be connected to untrusted networks leverage a local firewall to prevent access to port 445.”
Finally, Microsoft has also published guidance for securing applications developed with the Microsoft Internet Explorer layout engine (aka Trident layout engine).