Windows Search Remote Code Execution Vulnerability (CVE-2017-8543)

June 14, 2017

Summary

A remote code execution vulnerability exists when Windows Search handles objects in memory.  This can be exploited by an attacker sending a specially crafted SMB message to the Windows Search service. [4]

Due to recent nation-state activity and the elevated risk of potential cyber attacks, Microsoft has released security updates for older unsupported versions of Windows for this issue as well as other high-severity fixes in the June patch release. [1]

Impact

An attacker who successfully exploited this vulnerability could take control of the affected system.  An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of the target computer, similar to recent WannaCry ransomware cyber attacks. [2]

Vulnerable

  • Windows Server 2016, 2012, 2008
  • Windows 10, 7 and 8.1
  • Unsupported versions of Windows such as Windows XP and Windows Server 2003

Recommendations

  • Windows systems with automatic updates enabled are protected and no additional action is required. [2]
  • For Windows systems that are manually updated, resource managers are encouraged to expedite their normal Windows patch schedule this month due to the severity of this and other vulnerabilities in the June release.
  • For older Windows operating systems officially out of support, check for and apply any available exceptional security updates. [5]

References

[1]  https://blogs.technet.microsoft.com/msrc/2017/06/13/june-2017-security-update-release/
[2]  https://krebsonsecurity.com/2017/06/microsoft-adobe-ship-critical-fixes/
[3]  https://threatpost.com/microsoft-patches-two-critical-vulnerabilities-under-attack/126239/
[4]  http://blog.talosintelligence.com/2017/06/ms-tuesday.html
[5]  https://support.microsoft.com/en-us/help/4025687/microsoft-security-advisory-4025685-guidance-for-older-platforms