Between Conficker and WannaCry, there was a nearly a decade when network worms went dark.
WannaCry changed that, riding into enterprises globally on the coattails of a leaked nation-state exploit. In the months since the May 12 ransomware attack, vendors, researchers and network admins have been on edge looking in corners and under couches for wormable bugs.
Last week’s Patch Tuesday updates from Microsoft included a critical Windows Search vulnerability that, in some corners, has raised eyebrows as to whether this is the next big one. All the pieces are there for someone to build a wormable exploit, but can it be done in a similar timeframe to WannaCry, and without an available NSA exploit, for example?
The bug in Microsoft’s desktop search utility (CVE-2017-8620), allows an attacker to elevate privileges and remotely run arbitrary code. It affects all supported versions of Windows and Windows Server, and it can leverage SMB to remotely trigger the vulnerability. SMB is the same attack vector used in the WannaCry and NotPetya attacks, giving an already hyper-sensitive user base more anxiety.
The urgency to patch is there just as it was with MS17-010, which addressed the SMBv1 bugs exploited by EternalBlue, which was leaked by the ShadowBrokers in April one month after patches were made available. As the industry learned with WannaCry, patching vigilance still isn’t up to par, especially for organizations dependent on legacy, and/or unsupported systems.
Just as many failed to deploy the SMB patches in time, experts are wondering if these same factors are colluding again with the Windows Search bug.
“At this point, it’s difficult to determine if this will lead to a major worm, there are many temporal and environmental factors that will play into that, and things can often change rapidly,” said Sean Dillon, senior researcher at RiskSense and one of the first to dissect the EternalBlue attack. “It is always a good idea to apply patches as soon as possible, or at least the workarounds which Microsoft has provided for this vulnerability. As with EternalBlue, which took advantage of a legacy SMB operation (and in a deprecated version of the protocol), most customers are probably not actively using the features that are being exploited and should take the steps to disable them if the patch cannot be immediately applied for whatever reason.”
Microsoft recommends disabling the WSearch service as a temporary mitigation for CVE-2017-8620.
Check Point Software Technologies, meanwhile, echoes calls to patch this vulnerability immediately, but it also published an alarmist blog on Friday, calling this bug the next WannaCry.
“Basically, the vulnerability was found in a place that allows you to spread it further by using Microsoft services. If you have access to one computer on a network, you can send this, without any need for user interaction, through the entire network,” said Daniel Padon, a researcher at Check Point. “This is very similar to the one used by WannaCry. It’s possible to assume that because the previous vulnerability was found, it exposed these types of attacks; that was the incentive to look for additional attacks of the same kind.”
Padon called the bug interesting from a technical perspective and cautioned it has a large potential impact.
“The real story for us is that this is already patched,” Padon said. “I woud bet if we checked now after the patch has been released to see how many users acutally patched, I would be surprised if more than 10 percent did—and that’s being generous. These vulnerabilities are still affecting people because security isn’t up to speed with attacks.”
Dillon said that because the vulnerability allows for a remote network attack without a requirement in place for special privileges, that the ingredients are present for a successful worm.
“The attack complexity is rated as difficult to exploit, as was EternalBlue. Only a handful of people on the planet have enough knowledge, skill, and patience to have written a reliable exploit in a reasonable time for any of the vulnerabilities in MS17-010… if the Shadow Brokers dump had not occurred,” Dillon said. “That certainly lowered the bar for entry to alarmable levels. This Windows search exploit seems like it should be much more straightforward to exploit.”