It's 2017 and Microsoft is still patching Windows XP+ – to plug holes exploited by trio of leaked NSA weapons
Bugs used by stolen tools fixed among 96 software holes
Microsoft today addressed 96 CVE-listed vulnerabilities in its products – plus issued more emergency patches for unsupported versions of Windows menaced by leaked NSA exploits.
A special bulletin from Microsoft on Tuesday explained the emergency update includes fixes for legacy versions of Windows and Windows Server dating back to XP and Server 2003, as well as Windows XP Embedded and Windows 7 Embedded.
This emergency fix contains previously released patches for Windows bugs exploited by NSA exploits leaked by the Shadowbrokers. Crucially, it also patches flaws attacked by EXPLODINGCAN, ENGLISHMANDENTIST and ESTEEMAUDIT, three of the other stolen NSA tools that were distributed online in April by the brokers.
In other words, in March, Microsoft issued patches for some of the leaked NSA tools – notably, ETERNALBLUE used by WannaCry – for its unsupported operating systems. Now it has patched flaws exploited by the aforementioned trio of leaked cyber-weapons for its legacy Windows products. Microsoft previously said it wouldn't issue out-of-support patches for the three exploits, and that supported operating systems were safe from the trio. The three cyber-weapons target holes in IIS, Outlook and Exchange, and RDP.
Why the U-turn? With the NSA's tools now out in the wild, Redmond feared boxes could be targeted for state-sponsored attacks.
"We have taken action to provide additional critical security updates to address vulnerabilities that are at heightened risk of exploitation due to past nation-state activity and disclosures," Microsoft said of the updates.
Redmond said users and admins running Windows Vista and XP will need to manually install the updates, while Windows 7 and newer should get the fixes via download.
For the embedded versions, Microsoft suggests companies contact their hardware vendors, who should be able to provide the fixes for vulnerable devices.
"In my opinion this should be treated as a blueprint for future attacks and updates for EOL operating systems should be applied as soon as possible," wrote Amol Sarwate, director of Vulnerability Labs for Qualys.
Massive June patch load
As for the rest of the updates, Microsoft has a hefty 96 CVE-listed flaws to address this month. The June edition of Patch Tuesday brings with it updates for remote code execution flaws in Windows, Office, and Edge. Two of the vulnerabilities have been exploited in the wild, while another three have publicly available proof-of-concept for exploits.
The active exploits target CVE-2017-8543, a flaw in the Windows Search Services that allows an attacker to take over the target machine via a network connection.
"To exploit the vulnerability, the attacker could send specially crafted SMB messages to the Windows Search service. An attacker with access to a target computer could exploit this vulnerability to elevate privileges and take control of the computer," Microsoft says of the flaw.
"Additionally, in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer."
The second flaw being targeted is CVE-2017-8464, a vulnerability in the handling of LNK desktop shortcuts.
Microsoft said the flaw would allow an attacker to gain the current user's access rights simply by inserting a removable drive.
"When the user opens this drive in Windows Explorer, or any other application that parses the icon of the shortcut, the malicious binary will execute code of the attacker's choice on the target system," Microsoft explained.
As the Zero Day Initiative notes, the described attack carries a striking resemblance to the way the Stuxnet malware was able to infiltrate and sabotage industrial control systems when carrying out its attacks.
"While this latest patch may touch different parts of code, the exploit vector remains the same – remote code execution can occur if a specially crafted shortcut is displayed," writes ZDI researcher Dustin Childs. "In the case of Stuxnet, this was done with a USB thumb drive, but the LNK could also be hosted on a remote drive viewable by the target."
The update also addresses three publicly disclosed errors in the Edge browser – two allowing for security feature bypass (CVE-2017-8523 and CVE-2017-8530), and a third allowing for information disclosure.
Office, meanwhile, has received fixes for nine of its own remote code execution flaws. Those vulnerabilities can be targeted via DLL files (CVE-2017-8506), email messages (CVE-2017-8507), a website (CVE-2017-8511), or a PowerPoint file (CVE-2017-8513).
Adobe posts trio of updates
Meanwhile, Adobe has also released a crop of security fixes for its most vulnerable software offerings.
For Flash Player, the June update addresses nine critical vulnerabilities that would allow remote code execution. Five of those are due to memory corruption flaws and four arise from use-after-free conditions in Flash Player.
Users running Chrome, Edge, and newer versions of Internet Explorer (11 and later on Windows 8 or later) are set to get the update automatically from Google and Microsoft's own security teams. Others should download the fix directly from Adobe.
Meanwhile, Shockwave Player has been updated with a fix for a single remote code execution flaw in the Windows version of the software. Users should obtain version 18.104.22.168 for the fix.