Microsoft's September Patch Tuesday gave Windows Server administrators a lot to digest, but most updates should be a piece of cake.
After a relatively light workload in August, Microsoft unveiled updates to 76 vulnerabilities this month. Windows Server admins should prioritize patching for systems affected by CVE-2017-8686. This critical remote code execution (RCE) exploit exists in Windows Server 2012 and up, and it includes Server Core installations.
The vulnerability in the Windows Server Dynamic Host Configuration Protocol service allows an attacker to run arbitrary code on the DHCP failover server and make the system unresponsive. The DHCP server is only vulnerable when it set to failover mode -- the server does not need to be in a failover state. Many large businesses use failover mode as the default setting in the event another DHCP server crashes. As long as the server is not in a failover state, the update should be smooth.
"It should be [a] high priority, but assuming you have knowledge of all your DHCP servers, it should be fairly easy to patch," said Jimmy Graham, director of product management for Qualys Inc., based in Redwood City, Calif. "It sounds like the code is actually on the failover server, so those will probably be easy to patch, since they're not the active system."
Critical NetBIOS exploit revealed
Microsoft also closed a critical RCE vulnerability in NetBIOS (CVE-2017-0161) on September Patch Tuesday. A race condition lets an attacker run arbitrary code on the targeted system.
"Conditions have to be exactly right for this to happen," Graham said. "Microsoft does label this as 'exploitation less likely,' which does lead me to believe that there is some complexity involved [to use the vulnerability]."
CVE-2017-0161 affects Windows Server systems 2008 R2 and up.
Microsoft patched several other critical Windows Server-related vulnerabilities:
- CVE-2017-8682, which is a font-related RCE vulnerability in Windows Server 2008 and above; and
- CVE-2017-8696, which is an RCE vulnerability in the Microsoft Graphics Component in Windows Server 2008 and Windows Server 2008 R2.
Microsoft also patched CVE-2017-8759, a zero-day exploit FireEye researchers uncovered in the .NET Framework that handles untrusted input. The vulnerability, rated as important, requires a user to open a malicious attachment and turn off the Microsoft Office Protected View mode. It affects Windows Server systems 2008 and up.
SMBLoris remains on the loose
Security researchers disclosed the SMBLoris remote denial-of-service vulnerability in July, but Microsoft still has no fix for the exploit.
The company said SMBLoris can only attack systems through the internet, and it recommended administrators follow security best practices and block the Server Message Block (SMB) protocol port from outside access. Graham has not seen any businesses that have struggled with SMBLoris. Administrators concerned about SMB exploits can take steps to avoid headaches.
First, companies should deactivate SMBv1. Microsoft plans to disable SMBv1 by default in its major fall updates for Windows 10 and Windows Server 2016.
"With later [SMB] versions, Microsoft added a lot of new security features -- things like encryption to make sure the data is encrypted [and] the credentials are encrypted," Graham said.
Next, keep up with Microsoft's patch releases. In recent months, more admins have been scared straight to take Patch Tuesday more seriously.
"We saw that the vast, vast majority of people were patching after WannaCry," Graham said. "It definitely motivated them to patch."
For more information about the remaining security bulletins for September Patch Tuesday, visit Microsoft's Security Update Guide.
Dan Cagen is the associate site editor for SearchWindowsServer.com. Write to him at firstname.lastname@example.org.
How to handle bad security updates
Streamline your patching process
Uncover SMBv1 on your Windows systems