The unusual decision Microsoft made to release patches on Tuesday for unsupported versions of Windows was prompted by three NSA exploits that remained unaddressed from April’s ShadowBrokers leak.

The worst of the bunch, an attack called ExplodingCan (CVE-2017-7269), targets older versions of Microsoft’s Internet Information Services (IIS) webserver, version 6.0 in particular, and enables an attacker to gain remote code execution on a Windows 2003 server.

All three attacks allow an adversary to gain remote code execution; one is EsteemAudit, a vulnerability in the Windows Remote Desktop Protocol (RDP) (CVE-2017-0176), while the other is EnglishmanDentist (CVE-2017-8487), a bug in OLE (Object Linking and Embedding). Microsoft said the patches are available for manual download.

ExplodingCan merits a closer look because of the wide deployment of IIS 6.0.

“Generally, when you put a Windows machine on the internet, it’s going to be a server and it’s going to run a webserver, so there are production machines on the internet running IIS 6.0 right now,” said Sean Dillon, senior analyst at RiskSense and one of the first to analyze the NSA’s EternalBlue exploit that spread WannaCry ransomware on May 12.

“It’s probably already been exploited for months now,” Dillon said. “At least now there’s a fix that’s publicly available.”

Microsoft released a hefty load of patches for supported products and services on Tuesday as part of its normal Patch Tuesday update cycle. Normally, patches for unsupported versions of Windows are available only for Microsoft customers on an expensive extended support contract. The company’s decision to make all of those fixes public on Tuesday, it said, was prompted by an elevated risk for “destructive cyber attacks.”

“Due to the elevated risk for destructive cyber attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt,” said Adrienne Hall, general manager of Microsoft’s Cyber Defense Operations Center.

“In reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyber attacks by government organizations, sometimes referred to as nation-state actors or other copycat organizations,” Hall said. “To address this risk, today we are providing additional security updates along with our regular Update Tuesday service. These security updates are being made available to all customers, including those using older versions of Windows.”

The ShadowBrokers’ leak in April unleashed a number of powerful Windows attacks into the public, allegedly belonging to the Equation Group, which is widely believed to the U.S. National Security Agency. Criminals and other nation states have already been leveraging the attacks to spread not only WannaCry ransomware, but also crytpocurrency mining utilities and other types of malware.

Microsoft said customers should not expect this type of patch release for unsupported products to become the norm. Some experts have been critical of Microsot, which also made a similar update available for unsupported products hours after the WannaCry outbreak.

“It was the right move by Microsoft,” Dillon said. “We saw the damage it can cause with WannaCry. “Some of the most-used infrastructure, like SCADA systems, still run on XP whether they’re getting patches or not. When you have critical things [running on XP], it’s a good thing they released, but it should only be looked at as a temporary solution and people should look to upgrade off of legacy versions.”

Some third-party services such as 0patch have provided micro-patches for some of these vulnerabilities on legacy versions, even before the ShadowBrokers leak, Dillon said. “Hopefully people who are running legacy systems have looked into other means of patching beside official fixes,” he said. “Although, this is great that there’s an official fix.”

The remaining two vulnerabilities are a lesser severity but should be patched nonetheless on legacy systems.

EsteemAudit affects RDP, but only on XP and did not require a patch for modern versions of Windows. According to Microsoft, the vulnerability exists if the RDP server has smart card authentication enabled.

EnglishmanDentist, meanwhile, is triggered because Windows OLE fails to properly validate user input, Microsoft said.

“There’s a whole wide assortment of exploits that were leaked, and we’ve only seen a few of them actively used at a mass scale. This is just plugging a hole before it becomes a bigger problem,” Dillon said.

Categories: Vulnerabilities

Comments (2)

  1. Brian G
    1

    I’m sure Microsoft got pressure from the government to release these patches since it’s partially govt’s fault and America has to be kept somewhat resilient.

    Reply
  2. Jonathan
    2

    This article mentions (3) patches released by Microsoft on 6/13/2017.

    However, there are MORE than that – According to the Microsoft security advisory 4025685, there are a total of (12) listed, although on my systems here, I had the first (3) already installed:
    KB958644 – From MS08-67 (Released 2008)
    KB2347290 – From MS10-061 (Released 2010)
    KB4012598 – From MS17-010 (Released 5/13/2017)

    The additional ones are:
    KB4012583 – From MS17-013
    KB4018271 – From CVE-2017-222
    KB4018466 – From CVE-2017-267 to 0280
    KB4024323 – From CVE-2017-8461
    KB4024402 – From CVE-2017-8543
    KB4019204 – From CVE-2017-8552

    And the (3) mentioned here:
    KB4022747 – CVE-2017-0176 (Esteem Audit)
    KB3197835 – CVE-2017-7269 (Exploding Can)
    KB4025218 – CVE-2017-8487 (Englishman Dentist)

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>