In this month's Patch Tuesday, Microsoft has addressed important security vulnerabilities that affect all versions of Windows, including Windows 10. One of these is a critical exploit that could enable attackers to take control of the affected system. Allowing a complete takeover the target machine, the attacker could "view, change, or delete data; or create new accounts with full user rights". Criminals could also install other programs once they have complete admin rights on the system.
"Sort of thing malware writers look for"
In its advisory, Microsoft noted that the attacker with access to a target computer "could send specially crafted messages to the Windows Search service," exploiting this vulnerability "to elevate privileges and take control of the computer".
Additionally, in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer.
Today's Patch Tuesday addresses this critical bug by "correcting how Windows Search handles objects in memory," Microsoft wrote in its security bulletin.
Tracked as CVE-2017-8620, the "Windows Search Remote Code Execution Vulnerability" is "pretty close to wormable and just the sort of thing malware writers look for in a bug" according to Trend Micro's Zero Day Initiative researchers.
All the supported Windows 7 versions, Windows 8.1, and all versions of Windows 10 are affected by this critical bug, which Microsoft says hasn't been exploited in the wild. However, the company warns that the bug is likely to be exploited in future attacks, making it an absolute-must update.
In total, the Redmond software maker has addressed 48 security patches in today's releases covering its desktop operating system, Internet Explorer, Microsoft Edge, Kernel, SharePoint, SQL Server, and others. 25 of these vulnerabilities have been rated as critical, 21 as important, and 2 as moderate in severity.
Windows 10 cumulative updates are now available
Cumulative Updates for all Windows versions, including Windows 10 Creators Update (build 15063.540), Anniversary Update (build 14393.1593), November Update (build 10586.1045) and the original Windows 10 (build 10240.17533) are out for users, carrying important bug fixes.
Build 10563.540 for both PC and Mobile Creators Update is now out, bringing the following fixes:
- Addressed issue where the policies provisioned using Mobile Device Management (MDM) should take precedence over policies set by provisioning packages.
- Addressed issue where the Site to Zone Assignment List group policy (GPO) was not set on machines when it was enabled.
- Addressed issue where the AppLocker rules wizard crashes when selecting accounts.
- Addressed issue where the primary computer relationship is not determined when you have a disjoint NetBIOS domain name for your DNS Name. This prevents folder redirection and roaming profiles from successfully blocking your profile or redirects folders to a non-primary computer.
- Addressed issue where an access violation in the Mobile Device Manager Enterprise feature causes stop errors.
- Security updates to Microsoft Edge, Microsoft Windows Search Component, Microsoft Scripting Engine, Microsoft Windows PDF Library, Windows Hyper-V, Windows Server, Windows kernel-mode drivers, Windows Subsystem for Linux, Windows shell, Common Log File System Driver, Internet Explorer, and the Microsoft JET Database Engine.
For more details on cumulative updates, visit Microsoft.
