August Patch Tuesday fixes critical vulnerability in Windows' search services

And there's a monster bunch of Adobe Acrobat and Flash bug fixes, too

Microsoft's latest Patch Tuesday includes fixes for 48 vulnerabilities across six products, with 15 of them affecting Windows, but Adobe has topped the software giant (once again) with patches for 67 vulnerabilities - 43 of them labelled ‘critical'.

Top of Microsoft's fixes is one for a Windows Search remote code execution flaw that could be exploited by the same security flaw in SMBv1 used in the explosive propagation of May's WannaCry ransomware - although any organisation that hasn't already rigorously applied the security fix for the SMBv1 flaw probably deserves everything that's coming to them.

However, many of the Microsoft fixes are for flaws labelled as either ‘critical or ‘important', meaning they should be applied as a matter of priority.

Complicating matters, according to Bobby McKeown, senior manager of engineering at Rapid7, are a number of revisions that will require the installation of particular prior patches. "[There were] a few revisions to CVE-2017-0071, CVE-2017-0228 and CVE-2017-0299 that will require the installation of July (CVE-2017-0071) and August (CVE-2017-0228 and CVE-2017-0299) patches to ensure users are fully protected," said McKeown.

The other Microsoft products receiving a slew of fixes are the web browsers Internet Explorer and Edge (obviously), SharePoint, and Microsoft's SQL Server database.

Top priority should go to CVE-2017-8620 which is a vulnerability in Windows' search service. This can be exploited remotely via SMB and take complete control of a system, impacting both servers and workstations," said Jimmy Graham, director of product management at Qualys.

Graham added: "A large part of this release surrounds vulnerabilities involving the Scripting Engine which can impact both browsers and Microsoft Office. This should be considered a priority for workstation-type systems."

However, there is one particular outstanding issue that Microsoft hasn't fixed, suggested Rapid7's McKeown: "We were waiting to see if Microsoft would release any patches for the recently disclosed SMBLoris vulnerability, but Microsoft hasn't taken any action to address this in this round of patches."

This can no doubt be expected next month.

In terms of Adobe, it wasn't Flash that was the focus of the company's security efforts this month, but Acrobat Reader. Adobe's wodge of patches address only two acknowledged security flaws with Flash with the rest focusing on Acrobat and Acrobat Reader.

"It covers 43 ‘critical' and 24 ‘important' CVEs," advised Trend Micro's Zero Day Initiative (ZDI), a program that rewards security researchers for responsible disclosure, in a blog post.

It continued: "A total of 57 of these unique CVEs were due to 65 separate bug submissions to the ZDI program. The patch mostly addresses use-after-free and memory corruption issues that could allow a remote attacker to execute their code on a target system if they can convince a user to open a maliciously crafted file."

Computing's DevOps Summit returns on 19 September. Attendance is free to qualifying IT leaders and other senior IT professionals, but places will go fast, so secure yours now.