This month’s Patch Tuesday update round from Microsoft fixed 48 vulnerabilities, but only two have been publicly disclosed prior to release, with none known to have been exploited in the wild thus far.
At first sight it’s a daunting collection of bugs, covering Windows, Internet Explorer (IE), Edge, the subsystem for Linux, Kernel, SharePoint, SQL Server and Hyper-V; with 25 CVEs listed as critical, 21 important and two moderate.
Experts agree the priority should be CVE-2017-8620; a Windows Search Remote Code Execution Vulnerability.
Dustin Childs of Trend Micro’s Zero Day Initiative (ZDI) project claimed it to be the most critical bug this month.
“In addition to being similar to a previous search vulnerability – also under active attack – this bug allows a malicious SMB request to execute code on a target system,” he explained.
“As with the previous search flaw, within an enterprise, an attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer. That’s pretty close to wormable and just the sort of thing malware writers look for in a bug. Also, let this be your monthly reminder to disable SMBv1.”
Another interesting bug highlighted by ZDI is a Windows Hyper-V Remote Code Execution Vulnerability (CVE-2017-8664) which could allow an attacker on a guest OS to attack the hypervisor. Childs noted that a similar vulnerability won $100,000 at the 2017 Pwn2Own competition.
Bobby McKeown, senior manager of engineering at Rapid7, pointed out that this is the first time Microsoft has patched the Linux subsystem under Windows, with CVE-2017-8627 (DoS) and CVE-2017-8622 (privilege escalation) the first of their kind.
There were also two critical updates for Adobe Flash, Digital Edition, and Reader, and one important-rated update for Adobe Experience Manager, covering 43 critical and 24 important CVEs.
Chris Goettl, product manager at Ivanti, urged admins to focus on the OS, Flash, Reader and browser updates.
“There are a number of critical vulnerabilities resolved here and a few public disclosures in the OS updates which give attackers a bit of a head start on developing an exploit,” he added. “As the first half of 2017 has shown us, time is a significant variable in defending our environments against cyber threats. The quicker we can plug critical vulnerabilities the lower our overall risk will be.”
However, he urged sysadmins not to feel overawed by the task ahead.
“August Patch Tuesday has a lot at first glance, but this lion may be more of a lamb,” Goettl said.