It's 2017 and Hyper-V can be pwned by a guest app, Windows by a search query, Office by...
Update IE, Edge, Windows, SQL Server, Office and – of course – Flash
Patch Tuesday Microsoft has released the August edition of its Patch Tuesday update to address security holes in multiple products. Folks are urged to install the fixes as soon as possible before they are exploited.
Among the flaws are remote code execution holes in Windows, Internet Explorer/Edge and Flash Player, plus a guest escape in Hyper-V. Of the 48 patches issued by Redmond, 25 are rated as critical security risks.
Those 25 critical issues include a remote code execution vulnerability for all supported versions of Windows (CVE-2017-8620) for which an exploit is already public, we're told. That flaw allows an attacker to take over a target machine on the network via a malicious Windows Search or SMB query.
Here's Redmond's description of the flaw:
A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit the vulnerability, the attacker could send specially crafted messages to the Windows Search service. An attacker with access to a target computer could exploit this vulnerability to elevate privileges and take control of the computer.
Additionally, in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer.
The security update addresses the vulnerability by correcting how Windows Search handles objects in memory.
Essentially, you can poke machines, from desktops to servers, running SMB for file sharing or Windows Search Service, and hijack them to install spyware and other nasties. Get patching.
"As with the others, this vulnerability can be exploited remotely via SMB to take complete control of a system, and can impact both servers and workstations," said Jimmy Graham, product management director at security firm Qualys.
"While an exploit against this vulnerability can leverage SMB as an attack vector, this is not a vulnerability in SMB itself, and is not related to the recent SMB vulnerabilities leveraged by EternalBlue, WannaCry, and Petya."
The vulnerability is separate from the seemingly still-unpatched SMBLoris flaw showcased at DEF CON last month.
The remaining issues include 21 bugs rated as "important" by Microsoft – a designation Redmond often uses to downplay troubling bugs – as well as cross-site scripting and information disclosure flaws. Microsoft's argument is that those bugs are less serious because they can't be exploited without a victim clicking on a link or file or similar – though in the wild the distinction is of little importance, seeing as how clicking on things is how we operate computers.
As is often the case, this month's "important" patches are actually rather serious. Among them is a guest escape flaw in Hyper-V that allows applications in virtual machines to escape the hypervisor's walled sandbox to the underlying host (CVE-2017-8664), a game-over scenario for virtualized servers. It means someone logged into a VM on Hyper-V can run arbitrary evil code on the host server. Here's Redmond's description of the flaw:
A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code. An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.
The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input.
Also addressed are two programming blunders in the Windows Subsystem for Linux (CVE-2017-8627 and the Windows Error Reporting system CVE-2017-8633) that already have exploits published, and could allow for denial of service and information disclosure, respectively.
Other bugs include a cross-site scripting flaw in SharePoint (CVE-2017-8654), an information disclosure flaw in SQL Server (CVE-2017-8516) and a pair of information disclosure vulnerabilities (CVE-2017-8652 and CVE-2017-8659) in the Edge browser.
As researcher Dustin Childs of Zero Day Initiative notes, the scripting engine patches should be a priority for testing and deployment due to their accessibility via browsers, as should the flaws that are already being targeted or have published exploits.
"Obviously, the patches impacting Edge, IE, and SharePoint should top deployment lists due to the ubiquitous nature of the programs," Childs said. "Similar to the previous month, there are many Edge and IE cases quite simply titled 'Scripting Engine Memory Corruption Vulnerability'."
Also addressed are a number of stability issues in Windows 10, with a crash error in AppLocker, bugs in mobile device management, and a bug in NetBIOS.
Meanwhile, Adobe has issued the usual set of patches for Flash Player on Windows, OS X, and Linux. Edge and Chrome users will get the update automatically, as will those running newer versions (IE 11 and later) of Internet Explorer.
This month, the internet's screen door has been outfitted with an update for a critical type confusion bug (CVE-2017-3106) that allows remote code execution, and an information disclosure flaw (CVE-2017-3085) allowing an attacker to bypass security controls.
Adobe is also pushing out a patch to address a hefty 67 CVE-listed flaws in the hackers' other favorite target: PDF readers. The Acrobat and Reader update covers flaws in both the Windows and OS X versions of Adobe's software. ®