Microsoft’s Patch Tuesday update today included a massive 95 fixes that tackle vulnerabilities in Windows, Office, Skype, Internet Explorer and its Edge browser. Twenty-seven of Microsoft’s patches fix remote code execution issues, allowing attackers to remotely take control of a victim’s PC. Eighteen patches are rated critical by Microsoft, 76 important and one is rated moderate.
Of greatest concern are two vulnerabilities currently under attack that include a Windows Search Remote Code Execution Vulnerability (CVE-2017-8543) and a LNK Remote Code Execution Vulnerability (CVE-2017-8464).
The more serious of the two, the Windows Search Remote Code Execution Vulnerability patch, tackles a RCE in the Windows OS found the Windows Search Service (WSS), a feature in Windows that allows users to search across multiple Windows services and clients.
“In an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer,” according to the bulletin. Affected are Windows Server 2016, 2012, 2008 as well as desktop systems like Windows 10, 7 and 8.1.
The second vulnerability actively being exploited is the LNK Remote Code Execution Vulnerability, that allows a RCE if a specially crafted shortcut is displayed to a user. “If you’re experiencing déjà vu reading the bug title, it’s certainly understandable. This type of vulnerability was used by the Stuxnet malware, then found again several years later through a ZDI program submission,” according to Patch Tuesday commentary by Zero Day Initiative (ZDI).
Those critical patches were supplemented Tuesday by additional patches released by Microsoft on the same day that address fixes for unsupported versions of Windows such as Windows XP and Windows Server 2003. The fixes are meant to prevent the stop the WannaCry ransomware outbreak from last month. The patch follows an emergency patch released just weeks ago, also for XP. The updates can be found at Microsoft Download Center, but won’t be automatically be delivered through Windows Update.
According security experts at Qualys, another high-priority issue for sysadmin should be a Windows Graphics RCE Vulnerability (CVE-2017-8527). This vulnerability is triggered when users view a malicious website with specially crafted fonts. “A remote code execution vulnerability exist when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited this vulnerability could take control of the affected system,” Microsoft notes.
“Overall it’s a large security update which is almost double as compared to last two months in the number of patched vulnerabilities. Actively exploited SMB issue CVE-2017-8543 and other Font, Outlook, Office, Edge and IE issues are sure to keep system administrators and security teams busy,” said Amol Sarwate, director of engineering at Qualys.
Sarwate advises organizations using Outlook that they should also prioritize a patch for a Microsoft Office Memory Corruption Vulnerability (CVE-2017-8507), which attackers can exploit by sending a malicious e-mail to a target and take complete control when the recipient views the message in Outlook.
Lastly, Microsoft patches Microsoft Edge and IE for several remote code execution issues (CVE-2017-8498, CVE-2017-8530 and CVE-2017-8523) that are particularly important as they have been publicly disclosed although no attacks have been observed yet, according to Qualys.
Earlier in the day, Adobe fixed 21 vulnerabilities across four products – Flash, Shockwave Player, Captivate, and Adobe Digital Editions.