Microsoft patched more than two dozen remote code execution vulnerabilities today, many of them rated critical. One was a RCE bug that allowed an attacker to take complete control of a server or workstation via Windows Search.
The fixes were part of Microsoft’s August Patch Tuesday update that included 48 patches in all, 25 of them critical, two publicly known prior to release and one with a publicly available proof of concept. None of the vulnerabilities are currently being exploited in the wild, Microsoft said.
The most serious RCE vulnerability (CVE-2017-8620) is related to how Windows Search handles objects in memory. “An attacker who successfully exploited this vulnerability could take control of the affected system,” Microsoft wrote.
Exploiting the Windows Search vulnerability requires an adversary to send a specially crafted message to the Windows Search service. “Additionally, in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer,” said Microsoft.
This critical bug affects several versions of Windows 10, Windows Server 2012 and Windows Server 2016.
“While an exploit against this vulnerability can leverage SMB as an attack vector, this is not a vulnerability in SMB itself, and is not related to the recent SMB vulnerabilities leveraged by EternalBlue, WannaCry, and Petya,” wrote Jimmy Graham, director of product management at Qualys, in a post.
A second RCE (rated important) is tied to Windows Hyper-V (CVE-2017-8664) and exists when a host server fails to properly validate input from an authenticated user on a guest operating system.
“An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system,” Microsoft said. To exploit the vulnerability all an attacker needs to do is run a malicious application on a guest OS that could cause the Hyper-V host operating system to execute the arbitrary code.
“Although neither is publicly known nor actively exploited, this bug certainly warrants extra attention,” wrote Zero Day Initiative in its Patch Tuesday commentary. “Back at the 2017 Pwn2Own competition, a Hyper-V escape like this one would have earned the contestant $100,000.”
In all, Microsoft patched 27 remote code execution vulnerabilities as part of its August batch of fixes.
The two bugs previously known were a Windows Subsystem for Linux denial of service vulnerability (CVE-2017-8627) and a Windows Error Reporting elevation of privilege vulnerability (CVE-2017-8633) – both rated as important.
“This is the first time we have seen vulnerabilities patched on the Linux Subsystem under Windows. Since its introduction, it was only a matter of time and CVE-2017-8627 (DoS) and CVE-2017-8622 (privilege escalation) are the first of their kind,” said Bobby McKeown, senior manager of engineering, Rapid7.
Qualys notes 20 of August’s critical vulnerabilities are tied to the Windows’ Scripting Engine, which can impact both Edge and IE and Microsoft Office. It notes these type vulnerabilities should be “considered for prioritizing for workstation-type systems that use email and access the internet via a browser.”
“Also of note is a vulnerability in the Windows Font Engine, CVE-2017-8691. This vulnerability can also be exploited through a browser. For systems running Windows 10 and Microsoft Edge, CVE-2017-0293 impacts the PDF viewer functionality,” Qualys said.
The August patches did not include an important Microsoft security update also issued today that included the removal of WoSign and StartCom certificates in Windows 10. “Microsoft will begin the natural deprecation of WoSign and StartCom certificates by setting a ‘NotBefore’ date of 26 September 2017. This means all existing certificates will continue to function until they self-expire. Windows 10 will not trust any new certificates from these CAs after September 2017,” according to Microsoft.
The August Patch Tuesday fixes also don’t include a fix to stop a SMBLoris attack, which is a denial of service attack against systems that have port 445 and the SMB client exposed.
Last month, the vulnerability was disclosed during DEF CON. Microsoft has said it will not patch the vulnerability, which allows an attacker to remotely crash a Windows server with relative ease.
Earlier today, Adobe released patches covering 67 vulnerabilities, 43 of which are critical. Adobe Acrobat and Reader made up the bulk of the vulnerabilities, with two related to Adobe Flash.