Microsoft released June Patch Tuesday updates that address more than 90 vulnerabilities, including two critical remote code execution (RCE) vulnerabilities that have been exploited in attacks.
The first vulnerability, tracked as CVE-2017-8464, is a LNK remote code execution flaw in Windows that could be triggered by tricking victims into displaying the icon of a specially crafted shortcut file.
“A remote code execution exists in Microsoft Windows that could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.” states the advisory published by Microsoft. “The attacker could present to the user a removable drive that contains a malicious shortcut file and an associated malicious binary. When the user opens this drive in Windows Explorer or any other application that parses the icon of the shortcut, the malicious binary will execute code of the attacker’s choice on the target system,”
According to the experts at the Zero Day Initiative (ZDI), the flaw is similar to one exploited by the Stuxnet worm. The exploit code for the CVE-2017-8464 may affect different components of the code.
In the case of Stuxnet, the remote code execution occurs if a specially crafted shortcut is displayed with a USB thumb drive, but the LNK could also be hosted on a remote drive viewable by the target.
“This type of vulnerability was used by the Stuxnet malware, then found again several years later through a ZDI program submission. While this latest patch may touch different parts of code, the exploit vector remains the same – remote code execution can occur if a specially crafted shortcut is displayed.” states the ZeroDay report. “In the case of Stuxnet, this was done with a USB thumb drive, but the LNK could also be hosted on a remote drive viewable by the target. If there is a positive note here, the exploit only allows for code execution at the logged-on user level – another reminder not to use administrative privileges for daily tasks. Interestingly, there have been reports that the Stuxnet LNK attacks were still prevalent as recently as April 2017, however these appear to be unrelated to this bug.
The good news is that flaw could be exploited to execute code only at the logged-on user level, so for users that don’t have administrator rights in low.
The second RCE vulnerability tracked as CVE-2017-8543, is a remote code execution vulnerability affecting Windows Search.
“A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” states the advisory published by Microsoft.
Microsoft also fixed 18 critical flaws, the last security updates also patch some of the vulnerabilities disclosed at Pwn2Own hacking competition.
(Security Affairs – Microsoft RCE, hacking)