Patch Tuesday Includes Fixes For Ancient Windows XP And To Tackle WannaCry

Microsoft’s Patch Tuesday update has included defences to tackle the WannaCry ransomware, and the firm has warned users to apply all the fixes because of state-sponsored cyber-attacks.

Redmond released a total of 97 CVEs, nearly double the number patched in May. And it seems that 19 of these CVEs are rated as ‘Critical’, and 76 are ‘Important’.

To give an idea of the seriousness of this month’s Patch Tuesday, Microsoft has decided to include patches for a number of legacy operating systems it no longer supports.

Legacy OS

The operating systems in question are Windows XP, which Microsoft ceased supporting in April 2014, and Windows Vista, which Microsoft ceased support for in March this year.

In an unprecedented move, Microsoft opted to include defences against the WannaCry ransomware for those users still clinging to XP and Vista.

And Microsoft also took the opportunity to address “vulnerabilities that are at heightened risk of exploitation due to past nation-state activity and disclosures”.

“One of the vulnerabilities being resolved in the June Patch Tuesday release is a critical vulnerability in Windows Search that could allow an attacker to gain full control over a system,” explained Chris Goettl, product manager with Ivanti.

“This same vulnerability can be used in a enterprise scenario to remotely exploit systems over SMB,” he said. “ In this case, an attacker can remotely take control of a system without need for authentication. This is not one of the previous ETERNAL vulnerabilities that WannaCry and other variants took advantage of, but another SMB vulnerability that has potential to allow for another round of copycat attacks.”

“Microsoft released updates for this new vulnerability on all currently supported Windows OSs, but also released variations for XP and 2003,” he added. “This is unprecedented and reflects the seriousness of the vulnerability that has been detected in exploits in the wild.”

Ivanti’s Goettl also warned system admins to beware of an advisory to do with previously non-public updates that resolve high-risk vulnerabilities.

“Due to recent and past nation state activity and disclosures, Microsoft has reviewed several vulnerabilities and compiled a list of those that are at high risk of exploitation,” he said. “Ivanti is recommending reviewing of this list and ensuring these updates are in place as quickly as possible to prevent potential cyber attacks in the future, some of which may already be underway.

“For Microsoft to review and release several updates for “end of lifed” platforms you can be sure there was good cause,” he added. “For those on outdated platforms this should not be construed as the new norm. In fact, this should reinforce the need to migrate off these legacy platforms as soon as possible to avoid future risk.”

Massive Update

Meanwhile Amol Sarwate, director of vulnerability research at Qualys, has warned system admins that this month’s Patch Tuesday is a massive update and fixes more than double the number of vulnerabilities compared to the last two months.

“Top priority in the list of supported platforms goes to a vulnerability CVE-2017-8543 which according to Microsoft is currently exploited in the wild,” he warned.

Another high priority issue is CVE-2017-8527 which is the Windows graphic font engine vulnerability that is triggered when users view a malicious website with specially crafted fonts,” he advised.

And businesses using Outlook should patch CVE-2017-8507 as is another of those issues in which attackers can send malicious email and take complete control when the users views it in Outlook.

Other patches are for Microsoft Edge and IE, which fix many remote code execution issues.

It should be remembered that Microsoft has now changed its regular Patch Tuesday update process. From March this year it began offering a dynamic online portal (the Security Update Guide) rather than the static bulletins it had published for the past 12 years.

That change was not universally popular as the new format means that system administrators now have to scan tens of pages in order to gain information about crucial updates. That said, the Security Update Guide does provide a number of nice filtering options, but it seems that people are frustrated as a bit of the organisation has now been lost.

Quiz: Do you know all about security?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

OpenAI Seeks To Remove Commercial ‘AGI’ Constraint

ChatGPT developer OpenAI reportedly discussing removal of provision that blocks Microsoft from accessing super-intelligent AI

10 hours ago

EU Probes Nvidia AI Chip Business Practices

European Commission reportedly questions Nvidia competitors, customers over business practices in AI chip market over…

10 hours ago

Apple To Begin Using In-House 5G Modems Next Year

Apple reportedly planning to use first-generation in-house 5G modem in iPhone SE next year, hopes…

11 hours ago

EU Probes TikTok Influence On Romania Elections

European Commission queries TikTok for information on alleged Russian campaign to influence Romanian presidential election

11 hours ago

US Exempted China DRAM Makers From Controls ‘Under Pressure From Japan’

US exempted Chinese DRAM memory chip manufacturers from latest round of export controls under pressure…

12 hours ago

Huawei Gains On Apple In China Premium Smartphones

Huawei sees sales of premium smartphones in China grow by 34 percent as Apple declines,…

12 hours ago