CyberCrimeSecuritySecurity Management

Patch Tuesday Includes Fixes For Ancient Windows XP And To Tackle WannaCry

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Unprecedented move as update includes patches for ‘unsupported’ Windows XP and Vista

Microsoft’s Patch Tuesday update has included defences to tackle the WannaCry ransomware, and the firm has warned users to apply all the fixes because of state-sponsored cyber-attacks.

Redmond released a total of 97 CVEs, nearly double the number patched in May. And it seems that 19 of these CVEs are rated as ‘Critical’, and 76 are ‘Important’.

To give an idea of the seriousness of this month’s Patch Tuesday, Microsoft has decided to include patches for a number of legacy operating systems it no longer supports.

windows vista

Legacy OS

The operating systems in question are Windows XP, which Microsoft ceased supporting in April 2014, and Windows Vista, which Microsoft ceased support for in March this year.

In an unprecedented move, Microsoft opted to include defences against the WannaCry ransomware for those users still clinging to XP and Vista.

And Microsoft also took the opportunity to address “vulnerabilities that are at heightened risk of exploitation due to past nation-state activity and disclosures”.

“One of the vulnerabilities being resolved in the June Patch Tuesday release is a critical vulnerability in Windows Search that could allow an attacker to gain full control over a system,” explained Chris Goettl, product manager with Ivanti.

“This same vulnerability can be used in a enterprise scenario to remotely exploit systems over SMB,” he said. “ In this case, an attacker can remotely take control of a system without need for authentication. This is not one of the previous ETERNAL vulnerabilities that WannaCry and other variants took advantage of, but another SMB vulnerability that has potential to allow for another round of copycat attacks.”

“Microsoft released updates for this new vulnerability on all currently supported Windows OSs, but also released variations for XP and 2003,” he added. “This is unprecedented and reflects the seriousness of the vulnerability that has been detected in exploits in the wild.”

Ivanti’s Goettl also warned system admins to beware of an advisory to do with previously non-public updates that resolve high-risk vulnerabilities.

“Due to recent and past nation state activity and disclosures, Microsoft has reviewed several vulnerabilities and compiled a list of those that are at high risk of exploitation,” he said. “Ivanti is recommending reviewing of this list and ensuring these updates are in place as quickly as possible to prevent potential cyber attacks in the future, some of which may already be underway.

“For Microsoft to review and release several updates for “end of lifed” platforms you can be sure there was good cause,” he added. “For those on outdated platforms this should not be construed as the new norm. In fact, this should reinforce the need to migrate off these legacy platforms as soon as possible to avoid future risk.”

Massive Update

Meanwhile Amol Sarwate, director of vulnerability research at Qualys, has warned system admins that this month’s Patch Tuesday is a massive update and fixes more than double the number of vulnerabilities compared to the last two months.

“Top priority in the list of supported platforms goes to a vulnerability CVE-2017-8543 which according to Microsoft is currently exploited in the wild,” he warned.

Another high priority issue is CVE-2017-8527 which is the Windows graphic font engine vulnerability that is triggered when users view a malicious website with specially crafted fonts,” he advised.

And businesses using Outlook should patch CVE-2017-8507 as is another of those issues in which attackers can send malicious email and take complete control when the users views it in Outlook.

Other patches are for Microsoft Edge and IE, which fix many remote code execution issues.

It should be remembered that Microsoft has now changed its regular Patch Tuesday update process. From March this year it began offering a dynamic online portal (the Security Update Guide) rather than the static bulletins it had published for the past 12 years.

That change was not universally popular as the new format means that system administrators now have to scan tens of pages in order to gain information about crucial updates. That said, the Security Update Guide does provide a number of nice filtering options, but it seems that people are frustrated as a bit of the organisation has now been lost.

Quiz: Do you know all about security?