Microsoft has released fixes for 25 critical flaws, including one that’s likely to be used in malware.
Microsoft’s August update addresses a total of 48 flaws, more than half of which are critical remote code execution flaws. The bugs impact Microsoft’s Edge and Internet Explorer, Windows PDF, Windows Search, Sharepoint, and Microsoft’s new Windows Subsystem for Linux. There are also updates for Adobe’s Flash Player plugin in Microsoft’s browsers.
Trend Micro’s ZDI though reckons a Windows Search flaw, tagged as CVE-2017-8620, is “by far the most critical bug” this month, in part due to its similarity to a past Search flaw that was attacked. The bug will be attractive to malware authors for its wormable potential.
“An attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer,” Trend Micro notes, adding that admins should disable the SMBv1 file-sharing protocol.
Microsoft notes the attacker could send specially crafted messages to the Windows Search service to exploit the bug, but says it is not currently being exploited. It affects all supported versions of Windows and Windows Server.
Two other “important” bugs have been made public, including a denial of service flaw affecting its new Windows Subsystem for Linux for Windows 10, and an elevation of privilege flaw in Windows Error Reporting.
Google and Microsoft…