Patch Tuesday - July 2017

Most of the critical vulnerabilities patched this month concern client-side systems, with 14 separate Remote Code Execution (RCE) issues being addressed for the Microsoft Edge browser and five for Internet Explorer. One of the three Adobe Flash Player vulnerabilities being patched is also a critical RCE bug (CVE-2017-3099). Of the 54 Microsoft CVEs addressed, 33 relate to Edge and 14 to Internet Explorer.

Browser-based RCE vulnerabilities are a significant attack vector, but they typically require some degree of social engineering in order to convince the user to visit a malicious web page. Similarly with most Microsoft Office bugs (eight CVEs this month), users need to be tricked into opening attachments. More concerning are RCE vulnerabilities that do not require any user interaction. Exploits can be weaponized to quickly spread malware, as we’ve seen with the recent ransomware outbreaks.

This month, Microsoft has fixed CVE-2017-8589, a critical RCE vulnerability that could allow an attacker to take full control of a system by sending specially crafted messages to the Windows Search service. This typically requires access to the target computer. However, in an enterprise setting, it is possible for a remote, unauthenticated actor to trigger the vulnerability via an SMB connection. Fixes for CVE-2017-8589 have been released for all supported versions of Windows, so server administrators aren’t off the hook for patching. There is also CVE-2017-8501, which affects SharePoint Enterprise Server 2013.

One final point of interest: last month, Microsoft released a fix for CVE-2017-8529 (a browser information disclosure vulnerability whereby an attacker can detect specific files on the user’s computer) that broke the printing functionality in Internet Explorer and Edge for some users. Over the next two weeks they released various updates to resolve the printing issue, which ultimately removed the protection against CVE-2017-8529. Microsoft has still not been able to resolve the security issue without reintroducing the printing bug, and customers who take automatic updates will still be vulnerable. As of this writing, the only way to be protected is to have applied the June updates and no others (which is not recommended). The severity of CVE-2017-8529 is considered low (on server systems) to moderate (otherwise). If it is of concern, for example on particularly sensitive systems, a workaround would be to use a different web browser until this vulnerability is correctly patched.