As part of June’s Patch Tuesday, Microsoft has released security patches for a total of 96 security vulnerabilities across its products, including fixes for two vulnerabilities being actively exploited in the wild.This month’s patch release also includes emergency patches for unsupported versions of Windows platform the company no longer officially supports to fix three Windows hacking exploits leaked by the Shadow Brokers in the April’s data dump of NSA hacking arsenal.
The June 2017 Patch Tuesday brings patches for several remote code execution flaws in Windows, Office, and Edge, which could be exploited remotely by hackers to take complete control over vulnerable machines with little or no interaction from the user.
While two of the vulnerabilities have been exploited in live attacks, another three flaws have publicly available proof-of-concept (POC) exploits that anyone could use to target Windows users.
Vulnerabilities Under Active Attack
The more critical of the two is the Windows Search RCE vulnerability which is present in most versions of Windows and resides in the Windows Search Services (WSS) — a feature that allows users to search across multiple Windows services and clients.
The vulnerability, which already has publicly disclosed POC exploit code since early February, could allow a remote code execution in the Windows operating system, enabling an attacker to take over the target machine remotely via a network connection.
“To exploit the vulnerability, the attacker could send specially crafted SMB messages to the Windows Search service. An attacker with access to a target computer could exploit this vulnerability to elevate privileges and take control of the computer,” Microsoft explains in its advisory.
“Additionally, in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer.”
The SMB vulnerabilities can be extremely dangerous, and the best example of it is the WannaCry ransomware that exploited an SMB flaw within a network to replicate itself to all unpatched machines very quickly.
Windows Server 2016, 2012, 2008 along with desktop systems such as Windows 10, 7 and 8.1 are all affected by this vulnerability.
Shares Striking Resemblance with Stuxnet Malware
Another critical flaw under active exploitation is LNK RCE vulnerability resides in the way Windows handles LNK desktop shortcuts, which could allow remote code execution if the icon of a specially crafted shortcut is displayed to a user.
“The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary,” Microsoft explains.
“When the user opens this drive(or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker’s choice, on the target system.”
According to the Zero Day Initiative (ZDI), the active attack exploiting the LNK vulnerability carries some resemblance to the way the dangerous Stuxnet malware infiltrated and sabotaged critical industrial control systems while carrying out its attacks.
“If you’re experiencing déjà vu reading the bug title, it is certainly understandable,” ZDI says in its blog post. “This type of vulnerability was used by the Stuxnet malware, then found again several years later through a ZDI program submission.”
Another three vulnerabilities that have publicly available proof-of-concept exploits include three flaws in the Edge browser, two of which (CVE-2017-8530 and CVE-2017-8523) could allow security feature bypass, while the third (CVE-2017-8498) allows for information disclosure.
Besides this, the Edge browser also receives patches for three more flaws (CVE-2017-8496, CVE-2017-8497, and CVE-2017-8499) that would enable attackers to carry out remote code execution on vulnerable users.
Other patches include fixes for nine of its own remote code execution flaws in Office that could be targeted via DLL files, email messages, a website, and a PowerPoint file.
Adobe June 2017 Patch Updates
The company addresses nine critical bugs in its Flash Player that could allow remote code execution, five of which are due to memory corruption and four are use-after-free conditions in the software.
Users running Chrome, Edge, and Internet Explorer 11 and later will get the update automatically from Google and Microsoft’s security teams, while other users should download the patches directly from Adobe.
Shockwave Player received a patch for a single remote code execution vulnerability in the Windows version of its software. Users should download version Shockwave Player 126.96.36.199 in order to protect themselves.