<漏洞预警>Windows Search远程代码执行漏洞和LNK文件远程代码执行漏洞

有传言称今天这波windows补丁是补了影子经纪人要爆的漏洞

今天爆出两个远程代码执行漏洞(CVE-2017-8543)Windows Search远程代码执行漏洞(可用smb 远程攻击)和(CVE-2017-8464)LNK文件（快捷方式）远程代码执行漏洞(lnk 漏洞，当年震网木马就是用了这个)

https://threatpost.com/microsoft-patches-two-critical-vulnerabilities-under-attack/126239/  

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8543 

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464 

https://support.microsoft.com/zh-cn/help/4025687/microsoft-security-advisory-4025685-guidance-for-older-platforms

中文资讯:http://bobao.360.cn/learning/detail/3977.html

Windows Search远程代码执行漏洞

Windows搜索服务（WSS）是windows的一项默认启用的基本服务。允许用户在多个Windows服务和客户端之间进行搜索。当Windows搜索处理内存中的对象时，存在远程执行代码漏洞。成功利用此漏洞的攻击者可以控制受影响的系统。

为了利用此漏洞，攻击者可以向Windows Search服务发送精心构造的SMB消息。从而利用此漏洞提升权限并控制计算机。此外，在企业场景中，未经身份验证的攻击者可以通过SMB服务连接远程触发漏洞，然后控制目标计算机。

影响系统

桌面系统：Windows 10, 7, 8, 8.1, Vista, Xp和Windows RT 8.1

服务器系统：Windows Server 2016，2012，2008, 2003

修复方案：

桌面系统Windows 10, 7, 8.1和Windows RT 8.1；服务器系统：Windows Server 2016，2012，2008，可以通过Windows Update自动更新微软补丁的方式进行修复。

Windows 8, Vista, Xp和Windows Server 2003 可以通过选择对应版本然后手动更新补丁的方式进行更新

https://support.microsoft.com/zh-cn/help/4025687/microsoft-security-advisory-4025685-guidance-for-older-platforms 

LNK文件（快捷方式）远程代码执行漏洞

---

如果用户打开攻击者精心构造的恶意LNK文件，则会造成远程代码执行。成功利用此漏洞的攻击者可以获得与本地用户相同的用户权限。

攻击者可以通过可移动驱动器（U盘）或远程共享等方式将包含恶意LNK文件和与之相关的恶意二进制文件传播给用户。当用户通过Windows资源管理器或任何能够解析LNK文件的程序打开恶意的LNK文件时，与之关联的恶意二进制代码将在目标系统上执行。

受影响版本

桌面系统：Windows 10, 7, 8.1, 8, Vista和Windows RT 8.1

服务器系统：Windows Server 2016，2012，2008

修复方案：

桌面系统Windows 10,7,8.1和Windows RT 8.1；服务器系统：Windows Server 2016，2012，2008，可以通过Windows Update自动更新微软补丁的方式进行修复。

Windows 8, Vista可以通过选择对应版本然后手动更新补丁的方式进行更新

https://support.microsoft.com/zh-cn/help/4025687/microsoft-security-advisory-4025685-guidance-for-older-platforms

卡巴斯基原文:

MICROSOFT PATCHES TWO CRITICAL VULNERABILITIES UNDER ATTACK

by Tom SpringJune 13, 2017 , 4:23 pm

Microsoft’s Patch Tuesday update today included a massive 95 fixes that tackle vulnerabilities in Windows, Office, Skype, Internet Explorer and its Edge browser. Twenty-seven of Microsoft’s patches fix remote code execution issues, allowing attackers to remotely take control of a victim’s PC. Eighteen patches are rated critical by Microsoft, 76 important and one is rated moderate.

Of greatest concern are two vulnerabilities currently under attack that include a Windows Search Remote Code Execution Vulnerability (CVE-2017-8543) and a LNK Remote Code Execution Vulnerability (CVE-2017-8464).

The more serious of the two, the Windows Search Remote Code Execution Vulnerability patch, tackles a RCE in the Windows OS found the Windows Search Service (WSS), a feature in Windows that allows users to search across multiple Windows services and clients.

“In an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer,” according to the bulletin. Affected are Windows Server 2016, 2012, 2008 as well as desktop systems like Windows 10, 7 and 8.1.

The second vulnerability actively being exploited is the LNK Remote Code Execution Vulnerability, that allows a RCE if a specially crafted shortcut is displayed to a user. “If you’re experiencing déjà vu reading the bug title, it’s certainly understandable. This type of vulnerability was used by the Stuxnet malware, then found again several years later through a ZDI program submission,” according to Patch Tuesday commentary by Zero Day Initiative (ZDI).

Those critical patches were supplemented Tuesday by additional patches released by Microsoft on the same day that address fixes for unsupported versions of Windows such as Windows XP and Windows Server 2003. The fixes are meant to prevent the stop the WannaCry ransomware outbreak from last month. The patch follows an emergency patch released just weeks ago, also for XP. The updates can be found at Microsoft Download Center, but won’t be automatically be delivered through Windows Update.

According security experts at Qualys, another high-priority issue for sysadmin should be a Windows Graphics RCE Vulnerability (CVE-2017-8527). This vulnerability is triggered when users view a malicious website with specially crafted fonts. “A remote code execution vulnerability exist when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited this vulnerability could take control of the affected system,” Microsoft notes.

“Overall it’s a large security update which is almost double as compared to last two months in the number of patched vulnerabilities. Actively exploited SMB issue CVE-2017-8543 and other Font, Outlook, Office, Edge and IE issues are sure to keep system administrators and security teams busy,” said Amol Sarwate, director of engineering at Qualys.

Sarwate advises organizations using Outlook that they should also prioritize a patch for a Microsoft Office Memory Corruption Vulnerability (CVE-2017-8507), which attackers can exploit by sending a malicious e-mail to a target and take complete control when the recipient views the message in Outlook.

Lastly, Microsoft patches Microsoft Edge and IE for several remote code execution issues (CVE-2017-8498, CVE-2017-8530 and CVE-2017-8523) that are particularly important as they have been publicly disclosed although no attacks have been observed yet, according to Qualys.

Earlier in the day, Adobe fixed 21 vulnerabilities across four products – Flash, Shockwave Player, Captivate, and Adobe Digital Editions.