Microsoft today released security updates to fix almost a hundred flaws in its various Windows operating systems and related software. One bug is so serious that Microsoft is issuing patches for it on Windows XP and other operating systems the company no longer officially supports. Separately, Adobe has pushed critical updates for its Flash and Shockwave players, two programs most users would probably be better off without.
According to security firm Qualys, 27 of the 94 security holes Microsoft patches with today’s release can be exploited remotely by malware or miscreants to seize complete control over vulnerable systems with little or no interaction on the part of the user.
Microsoft this month is fixing another serious flaw (CVE-2017-8543) present in most versions of Windows that resides in the feature of the operating system which handles file and printer sharing (also known as “Server Message Block” or the SMB service).
SMB vulnerabilities can be extremely dangerous if left unpatched on a local (internal) corporate network. That’s because a single piece of malware that exploits this SMB flaw within a network could be used to replicate itself to all vulnerable systems very quickly.
It is this very “wormlike” capability — a flaw in Microsoft’s SMB service — that was harnessed for spreading by WannaCry, the global ransomware contagion last month that held files for ransom at countless organizations and shut down at least 16 hospitals in the United Kingdom.
According to Microsoft, this newer SMB flaw is already being exploited in the wild. The vulnerability affects Windows Server 2016, 2012, 2008 as well as desktop systems like Windows 10, 7 and 8.1.
The SMB flaw — like the one that WannaCry leveraged — also affects older, unsupported versions of Windows such as Windows XP and Windows Server 2003. And, as with that SMB flaw, Microsoft has made the unusual decision to make fixes for this newer SMB bug available for those older versions. Users running XP or Server 2003 can get the update for this flaw here.
“Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies,” wrote Eric Doerr, general manager of Microsoft’s Security Response Center.
“Based on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly,” Doerr wrote. “As always, we recommend customers upgrade to the latest platforms. “The best protection is to be on a modern, up-to-date system that incorporates the latest defense-in-depth innovations. Older systems, even if fully up-to-date, lack the latest security features and advancements.”
The default browsers on Windows — Internet Explorer or Edge — get their usual slew of updates this month for many of these critical, remotely exploitable bugs. Qualys says organizations using Microsoft Outlook should pay special attention to a newly patched bug in the popular mail program because attackers can send malicious email and take complete control over the recipient’s Windows machine when users merely view a specially crafted email in Outlook.
For starters, hardly any sites require this plugin to view content. More importantly, Adobe has a history of patching Shockwave’s built-in version of Flash several versions behind the stand-alone Flash plugin version. As a result Shockwave has been a high security risk to have installed for many years now. For more on this trend, see Why You Should Ditch Adobe Shockwave.
Same goes for Adobe Flash Player, which probably most users can get by with these days just enabling it in the rare instance that it’s required. I recommend for users who have an affirmative need for Flash to leave it disabled until that need arises. Otherwise, get rid of it.
Adobe patches dangerous new Flash flaws all the time, and Flash bugs are still the most frequently exploited by exploit kits — malware booby traps that get stitched into the fabric of hacked and malicious Web sites so that visiting browsers running vulnerable versions of Flash get automatically seeded with malware.
For some ideas about how to hobble or do without Flash (as well as slightly less radical solutions) check out A Month Without Adobe Flash Player.
If you choose to keep Flash, please update it today to version 220.127.116.11. The most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).
Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates in and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then.
As always, if you experience any issues downloading or installing any of these updates, please leave a note about it in the comments below.
Update, May 16, 10:38 a.m. ET: Microsoft has revised its bulletin on the vulnerability for which it issued Windows XP fixes (CVE-2017-8543) to clarify that the problem fixed by the patch is in the Windows Search service, not the SMB service as Microsoft previously stated in the bulletin. The original bulletin from Microsoft’s Security Response Center incorrectly stated that SMB was part of this vulnerability: rather, it has nothing to do with this vulnerability and was not patched. The vulnerability is in Windows Search only. I’m mentioning it here because a Windows user or admin thinking that turning off SMBor blocking SMB would stop all vectors to this attack would be wrong and still vulnerable without the patch. All an attacker needs to is get some code to talk to Windows Search in a malformed way – even locally — to exploit this Windows Search flaw.