Another month, another SMB flaw found in Windows -- but this time, Microsoft said Windows Server admins can handle it on their own.
Microsoft sealed off 48 vulnerabilities on August Patch Tuesday, but the company didn't fix a known zero-day Server Message Block (SMB) exploit.
The SMBLoris vulnerability, revealed in July at the annual DEFCON hacker conference, is essentially a remote denial-of-service attack. Two security researchers uncovered the bug while they investigated SMB exploits used in the EternalBlue, Petya and WannaCry attacks earlier this year.
Microsoft said it would not address SMBLoris at this time because the vulnerability can only attack systems through the internet -- and the SMB port should already be firewalled, the researchers said. The company plans to patch SMBLoris at a later date.
Administrators who follow security best practices won't have anything to worry about, but it's one more risk for admins who don't follow every guideline.
"We recommend making sure that you don't have port 445 exposed to the internet and that you use a local firewall to prevent access to port 445 when a system is on an untrusted network," said Jimmy Graham, director of product management for Qualys Inc., based in Redwood City, Calif. "That would prevent that type of [SMBLoris] exploitation."
Many administrators impose a heavily restricted firewall for untrusted networks and lighten the firewall as business needs dictate. However, businesses should consider imposing those same levels of security on in-house networks, as well, Graham advised.
"There could probably be more of a tightening on corporate networks that would mitigate [SMBLoris and similar vulnerabilities]," he said.
Déjà vu for Windows Search exploit
Microsoft also addressed a critical vulnerability in the Windows Search service -- for the third straight month -- on August Patch Tuesday.
The remote code execution (RCE) exploit, CVE-2017-8620, occurs when Windows Search handles objects in memory. An attacker who sends a specially crafted message to the Windows Search service could take control of the system and perform a number of actions, such as install programs or delete data.
CVE-2017-8620 is also related to SMB; the attack could trigger the exploit via an SMB connection to command the targeted system. This exploit affects supported versions of Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and several of the supported Windows client systems.
Microsoft addressed RCE vulnerabilities in the Windows Search service in both June (CVE-2017-8543) and July (CVE-2017-8589) security updates. None of those vulnerabilities were publicly disclosed prior to their respective Patch Tuesdays, and none were exploited in the wild.
The cluster of fixes could reflect extra diligence by Microsoft's security team as it patches old vulnerabilities -- or it may be a sign that more vulnerabilities might lurk within the Search service, Graham said. Because there's no way to know either way, administrators should continue to follow security best practices.
"Like with anything, it's important to harden services and lock down things," he said.
Windows Server administrators should also take note of CVE-2017-0293, which uses a vulnerability in the Microsoft Windows PDF Library to corrupt memory to let an attacker assume the same rights as the current user. The critical exploit affects Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and several supported Windows client systems.
For more information about the remaining security vulnerabilities released on August Patch Tuesday, visit Microsoft's Security Update Guide.
Dan Cagen is the associate site editor for SearchWindowsServer.com. Write to him at [email protected].
How to handle bad security updates
Streamline your patching process
Uncover SMBv1 on your Windows systems