This content is part of the Essential Guide: Catch up on the Windows Server patches of 2017

Microsoft spotlights exploit connected to SMB on July Patch Tuesday

Administrators should prioritize yet another vulnerability associated with the SMB protocol that could allow attackers to overtake Windows systems.

Windows Server administrators can't catch a break when it comes to vulnerabilities and the Server Message Block...


Microsoft addressed 54 vulnerabilities on July Patch Tuesday, including yet another potential exploit connected to Server Message Block (SMB), which has been the vulnerability du jour of recent ransomware attacks.

One remote code execution vulnerability in all supported versions of Windows Server, labeled CVE-2017-8589, could allow an attacker to take control of a system through an SMB connection. This vulnerability resides in the Window Search service and how it handles files, but the attacker can use an SMB connection as an attack vector to compromise the host.

While it uses SMB, this vulnerability is not related to the exploits used in the WannaCry attacks earlier this year, which were originally compiled by the National Security Agency and then leaked by hackers. But administrators should be vigilant anytime a vulnerability related to SMB is discovered, because the network file-sharing protocol has a large attack surface, said Jimmy Graham, director of product management for Qualys Inc., based in Redwood City, Calif.

"That's the easiest way to get to a system -- almost every Windows system is going to be running SMB of some kind," he said. "If I were going to try to exploit a system, I would focus on that."

Exploits in Windows Explorer, web browsers addressed

A 30-day patching cycle might not be [quick] enough to have all of your systems covered by the time malware comes out.
Jimmy Grahamdirector of product management, Qualys Inc.

Another vulnerability that affects all supported versions of Windows Server, CVE-2017-8563, could allow attackers to elevate privileges and obtain system-level access to domain controllers. Microsoft only rates this as important instead of critical, but Graham advised Windows Server admins to address it quickly.

Graham also highlighted CVE-2017-8463, a vulnerability in Windows Explorer that could become a target for exploit kits even though it requires heavy user interaction, Graham said. The exploit also resides in the Internet Explorer and Edge web browsers.

"[The vulnerability] would require someone to get a system on the network, create a malicious share, drop some malware in it and then send that in an instant messaging link or an email," he said.

Urgent care needed

Microsoft seemed to catch its breath with July Patch Tuesday. In June, the company issued updates for a whopping 94 vulnerabilities, including some for unsupported systems, such as Windows Server 2003.

Although July Patch Tuesday addressed just 54 vulnerabilities -- with only 19 listed as critical -- admins should treat them seriously and patch them quickly. As the WannaCry attacks showed, attackers don't need long to take advantage of an unpatched system.

"Looking at the patch-to-exploit time frame, those time frames have been so compressed [recently]," Graham said. "Obviously, testing is still required, and you need to test patches before you deploy them in your environment. But what we've seen is less than 30 days from the exploit release and the malware release in WannaCry.

"So, with that the case, a 30-day patching cycle might not be [quick] enough to have all of your systems covered by the time malware comes out."

For more information about the remaining security vulnerabilities released on July Patch Tuesday, visit Microsoft's Security Update Guide.

Dan Cagen is the associate site editor for Write to him at [email protected].

Next Steps

Adapt to Microsoft's patching changes

Admins lose some control with new patching process

Security Update Guide brings growing pains

Dig Deeper on Windows Server troubleshooting