My next class:

Microsoft and Adobe June 2017 Patch Tuesday: Two Exploited Vulnerabilities Patched

Published: 2017-06-13. Last Updated: 2017-06-13 21:07:27 UTC
by Johannes Ullrich (Version: 1)
8 comment(s)

Today, Microsoft and Adobe released their usual monthly security updates. Microsoft patched a total of 96 different vulnerabilities. Three vulnerabilities have already been disclosed publicly, and two vulnerabilities stick out for being already exploited according to Microsoft:

CVE-2017-8464

This vulnerability can be exploited when a user views a malicious shortcut file. Windows shortcuts use small files that describe the shortcut. The file will tell Windows what icon to display to represent the file. By including a malicious icon reference, the attacker can execute arbitrary code. This problem is probably easiest exploited by setting up a malicious file share, and tricking the user into opening the file share via a link. Similar vulnerabilities have been exploited in Windows in the past. Exploits should surface shortly in public. Microsoft's description of the vulnerability is a bit contradicting itself. In the past, if a vulnerability had already been exploited in the wild, Microsoft labeled them with an exploitability of "0". In this case, Microsoft uses "1", which indicates that exploitation is likely. But on the other hand, the vulnerability is already being exploited.

CVE-2017-8543

ETERNALBLUE Reloaded? This vulnerability is another one that is already exploited according to Microsoft. The vulnerability is triggered by sending a malicious "Search" message via SMB. The bulletin does not state if exploitation requires authentications. The attacker will have full administrative access to the system, so this vulnerability can also be exploited for privilege escalation.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
STI|Twitter|

Keywords:
8 comment(s)
My next class:

Comments

Also be aware that Microsoft has released patches for unsupported XP/Server 2003 -- https://technet.microsoft.com/en-us/library/security/4025685.aspx
More info here: http://www.zdnet.com/article/microsoft-reverses-course-patches-three-remaining-nsa-exploits-targeting-windows-xp/
I guess it is up to Shadowbroker now to release more vulnerabilities for MSFT to patch. A bit odd that Microsoft considers these vulnerabilities not publicly disclosed.
A note here, if you have Exchange Server installed:

"At this time, .NET Framework 4.7 is not supported by Exchange Server. Please resist installing it on any of your systems after its release to Windows Update."
https://blogs.technet.microsoft.com/exchange/2017/06/13/net-framework-4-7-and-exchange-server/
Also be aware that these [the XP, Vista, and Server 2003 new updates] will not download via Windows update or WSUS. You have to download and install them manually.
Here are some details on the Win XP32 patches:

high priority / newly released WinXP32 fixes for issues currently being exploited:
KB4024402 - CVE-2017-8543 - Windows Search Remote Code Execution Vulnerability

KB3197835 - CVE-2017-7269 - WebDAV remote code execution vulnerability

KB4024323 - CVE-2017-8461 - Windows RPC remote code execution vulnerability

KB4025218 - CVE-2017-8487 - Windows olecnv32.dll remote code execution vulnerability

KB4012598 - MS17-010 (WannaCry) - Critical Security Update for Microsoft Windows SMB Server

KB4022747 - CVE-2017-0176 - Remote desktop protocol remote code execution vulnerability

KB4018271 - CVE-2017-0222 - Internet Explorer Memory Corruption Vulnerability


older but critical fixes:
KB958644 - MS08-067 - Critical Vulnerability in Server Service Could Allow Remote Code Execution

KB2347290 - MS10-061 - Critical Vulnerability in Print Spooler Service Could Allow Remote Code Execution


medium priority WinXP32 fixes:
KB4019204 - CVE-2017-8552 - Win32k Elevation of Privilege Vulnerability
* KB4019204 is not remotely exploitable; have to login to system first


lower priority WinXP32 fixes:
KB4018466 - CVE-2017-0267 to 0280 - Windows SMB Remote Code Execution Vulnerabilities
* KB4018466 not being currently exploited

KB4012583 - MS17-013 - Critical Security Update for Microsoft Graphics Component
* KB4012583 has no public exploit; but NSA has an exploit that may have been stolen by Russia
Anyone knows what happened to IE updates?

Both KB4022719 and KB4022726 mention updates for IE and the corresponding security-only updates KB4022722 and KB4022717 do not.

But the previous months, the support articles for the security-only updates explicitly mentioned this difference and listed the KB numbers for the IE updates.

Where are the updates for IE this month?
If you are using iSCSI target, BE CAREFUL when installing Junw 2017 Updates!!!...

"If an iSCSI target becomes unavailable, attempts to reconnect will cause a leak. Initiating a new connection to an available target will work as expected."

"Microsoft is researching this problem and will post more information in this article when the information becomes available."

I learned this in a BAD way. :[

Diary Archives