Microsoft Just Fixed a Wormable Bug in Windows Search Affecting All OS Versions

[Batu69]

The Microsoft August 2017 Patch Tuesday security patches include fixes for 48 issues, of which 25 are rated critical, but none is as ominous as CVE-2017-8620.

This bug is a vulnerability in the Windows Search service and affects all currently supported versions of Windows.

 

The vulnerability — discovered internally at Microsoft by Nicolas Joly of MSRC Vulnerabilities & Mitigations — allows an attacker to execute code and take over unpatched computers.

 

The issue is quite serious if we consider the ubiquity of the Windows Search service. Below is Microsoft's full explanation regarding CVE-2017-8620:

 

A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit the vulnerability, the attacker could send specially crafted messages to the Windows Search service. An attacker with access to a target computer could exploit this vulnerability to elevate privileges and take control of the computer. Additionally, in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer.

CVE-2017-8620 can be used for self-spreading worms

The danger comes from the vulnerability's potential of being used for self-spreading worms. We've all seen what happens when malware coders combine classic malware with worm components (cough WannaCry, cough NotPetya).

 

"That’s pretty close to wormable and just the sort of thing malware writers look for in a bug," says Trend Micro's Zero-Day Initiative team in a review of yesterday's Patch Tuesday fixes.

 

In addition, Symantec claims that "failed attacks [using CVE-2017-8620] will cause denial of service conditions," leading Windows installations to malfunction or shut down.

Sysadmins should disable WSearch if they can't patch

If there should be a reason for users to apply this month's Patch Tuesday updates, then CVE-2017-8620 should be the one.

 

In cases where system administrators can't update systems due to incompatibilities and other reasons, Microsoft recommends they disable the WSearch service as a workaround, but this will also disable any search functions on those machines. Instructions to disable or re-enable the WSearch service are available here.

 

Article source

[Agent 86]

disable wsearch and install Everything. Ploblem solved. I did this years ago. Did not know about the vulnerability til just now though. Nice article.

[steven36]

11 hours ago, Agent 86 said:

disable wsearch and install Everything. Ploblem solved. I did this years ago. Did not know about the vulnerability til just now though. Nice article.

Sometimes everything gives freaky results though, last night on one of my drives everything was showing a 700 mb file i thought i deleted and no were else did it  show up in windows explorer , XYplorer , Linux,  LockHunter ,  or DelinvFile  so I ended up having too move all the files out of the folder it said it was into a new folder and deleting the folder then everything said it was gone.