Beware ErraticGopher

Marina Kidron Jun 14, 2017

June’s Patch Tuesday fixed 94 vulnerabilities — more than double of previous months. It also fixed nine Adobe Flash vulnerabilities as well as vulnerabilities in other Adobe products, Mozilla, etc. — but who’s got time for that when there’s NSA–developed exploits floating around?

As if that wasn’t enough, Microsoft also released advisory 4025685 with patches for older platforms including Windows XP, Windows Server 2003, Windows Vista and Windows 8. The advisory explains it contains “critical security update that are at heightened risk of exploitation due to past and threatened nation–state attacks and disclosures.” This is a nod to The Shadow Brokers’ (TSB) data dumps that have unleashed NSA hacking tools into the public realm, specifically the EsteemAudit, ExplodingCan, ErraticGopher and EnglishmanDentist exploits.

Actively Exploited Vulnerabilities

For vulnerabilities being actively exploited in the wild, here’s what’s newly fixed in June’s Patch Tuesday.


  • Critical remote code execution (RCE) vulnerability affecting all versions of Windows versions
  • Can be exploited by remotely sending a crafted Windows Server Message Block (SMB) message
  • Does not require user interaction, so it could spread as fast as WannaCry
  • According to Microsoft, it has been exploited in the wild by some unknown nation–state threat actors


  • Critical RCE vulnerability related to Windows LNK files, affecting many Windows versions
  • Microsoft states, “According to the experts at the Zero Day Initiative (ZDI), the flaw is similar to one exploited by the Stuxnet worm”
  • According to Microsoft, it has been exploited in the wild by some unknown nation-state threat actors

The Shadow Brokers’ Exploits

Microsoft also addressed vulnerabilities associated with exploits leaked TSB (they’ve also updated their TSB response page).

CVE-2017-0176 (aka EsteemAudit)

  • Previously referred as CVE-2017-9073
  • Critical RCE vulnerability affecting Windows XP and Windows Server 2003 related to RDP

CVE-2017-7269 (aka ExplodingCan)

  • Critical RCE vulnerability in Windows XP and Windows Server 2003, related to IIS and WebDAV

CVE-2017-8461 (aka ErraticGopher)

  • Critical RCE vulnerability in Windows XP and Windows Server 2003, related to Windows RPC

CVE-2017-8487 (aka EnglishmanDentist)

  • Critical RCE vulnerability in Windows XP and Windows Server 2003, related to Windows OLE

If the WannaCry ransomware attack taught us anything, it’s that you don’t want to sit on patchable vulnerabilities that are being exploited in the wild. Remember, if you can’t patch, consider your compensating controls like firewall rule changes, IPS signatures, etc. to cut off these vulnerabilities from attackers, and to properly segment your network to limit the spread of an attack.

And for the love of god, block port 445 access from the internet.

Stay safe out there.


Be ready for the next WannaCry. Get the special report to see how Skybox can help you be proactive against the threat of ransomware and other distributed cybercrime attacks.

Download the free Gartner reportIt’s Time to Align Your Vulnerability Management Priorities With the Biggest Threats, and start focusing remediation on the small set of vulnerabilities posing the greatest risk.

Marina Kidron is Skybox Security's director of threat intelligence and leader of the Skybox Research Lab, a dedicated team of analysts who daily scour dozens of security feeds and sources and investigate sites in the dark web. Kidron has more than 10 years of experience in business and statistical data analysis, data modeling and algorithms development for information technology, mobile and internet companies and financial services companies. She earned a Master's degree in Political Marketing, and a Bachelor degree in Computer Science and Mathematics.

Recent Posts

Skybox 2021 Vulnerability and Threat Trends Report reveals emerging security challenges and growing need for exposure analysis
Read More
Biden Cybersecurity Executive Order
Read More
CISA Alert – Top routinely exploited vulnerabilities
Read More
3 trends shaping security posture management for 2021
Read More
Skybox Q&A: CRO Rob Rosiello identifies today’s and tomorrow’s top cybersecurity issues as the world reopens
Read More
Post-pandemic cyber threats
Read More