Marina Kidron Jun 14, 2017
June’s Patch Tuesday fixed 94 vulnerabilities — more than double of previous months. It also fixed nine Adobe Flash vulnerabilities as well as vulnerabilities in other Adobe products, Mozilla, etc. — but who’s got time for that when there’s NSA–developed exploits floating around?
As if that wasn’t enough, Microsoft also released advisory 4025685 with patches for older platforms including Windows XP, Windows Server 2003, Windows Vista and Windows 8. The advisory explains it contains “critical security update that are at heightened risk of exploitation due to past and threatened nation–state attacks and disclosures.” This is a nod to The Shadow Brokers’ (TSB) data dumps that have unleashed NSA hacking tools into the public realm, specifically the EsteemAudit, ExplodingCan, ErraticGopher and EnglishmanDentist exploits.
Actively Exploited Vulnerabilities
For vulnerabilities being actively exploited in the wild, here’s what’s newly fixed in June’s Patch Tuesday.
- Critical remote code execution (RCE) vulnerability affecting all versions of Windows versions
- Can be exploited by remotely sending a crafted Windows Server Message Block (SMB) message
- Does not require user interaction, so it could spread as fast as WannaCry
- According to Microsoft, it has been exploited in the wild by some unknown nation–state threat actors
- Critical RCE vulnerability related to Windows LNK files, affecting many Windows versions
- Microsoft states, “According to the experts at the Zero Day Initiative (ZDI), the flaw is similar to one exploited by the Stuxnet worm”
- According to Microsoft, it has been exploited in the wild by some unknown nation-state threat actors
The Shadow Brokers’ Exploits
Microsoft also addressed vulnerabilities associated with exploits leaked TSB (they’ve also updated their TSB response page).
CVE-2017-0176 (aka EsteemAudit)
- Previously referred as CVE-2017-9073
- Critical RCE vulnerability affecting Windows XP and Windows Server 2003 related to RDP
CVE-2017-7269 (aka ExplodingCan)
- Critical RCE vulnerability in Windows XP and Windows Server 2003, related to IIS and WebDAV
CVE-2017-8461 (aka ErraticGopher)
- Critical RCE vulnerability in Windows XP and Windows Server 2003, related to Windows RPC
CVE-2017-8487 (aka EnglishmanDentist)
- Critical RCE vulnerability in Windows XP and Windows Server 2003, related to Windows OLE
If the WannaCry ransomware attack taught us anything, it’s that you don’t want to sit on patchable vulnerabilities that are being exploited in the wild. Remember, if you can’t patch, consider your compensating controls like firewall rule changes, IPS signatures, etc. to cut off these vulnerabilities from attackers, and to properly segment your network to limit the spread of an attack.
And for the love of god, block port 445 access from the internet.
Stay safe out there.
Be ready for the next WannaCry. Get the special report to see how Skybox can help you be proactive against the threat of ransomware and other distributed cybercrime attacks.
Download the free Gartner report, It’s Time to Align Your Vulnerability Management Priorities With the Biggest Threats, and start focusing remediation on the small set of vulnerabilities posing the greatest risk.