CVE-2017-11771
published 2017-10-13CVE-2017-11771: The Microsoft Windows Search component on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT…
PriorityP270critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
64.13%
99.1th percentile
The Microsoft Windows Search component on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows a remote code execution vulnerability when it fails to properly handle DNS responses, aka "Windows Search Remote Code Execution Vulnerability".
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| microsoft_corporation | windows_search | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1703 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Attack vector is SMB — monitor for unauthenticated remote SMB connections targeting the Windows Search service (WSearch), particularly from external/untrusted hosts in enterprise environments ↗
- →Exploit involves specially crafted messages sent to the Windows Search service; monitor for anomalous traffic or process activity originating from the WSearch service (searchindexer.exe / searchprotocolhost.exe) ↗
- →This is the fourth Windows Search vulnerability in 2017 Patch Tuesdays — treat WSearch as a high-value attack surface; alert on unexpected child processes or network connections spawned by the Windows Search service ↗
- →Exploitation is rated 'More Likely' for both latest and older software releases by Microsoft; prioritize detection on unpatched Windows Search endpoints ↗
- ·Workaround disables WSearch entirely via registry key change (Start=4) and service stop; verify WSearch service start type in registry as a detection signal — value of 4 indicates the service has been intentionally disabled (could also be used by an attacker to cover tracks post-exploitation) ↗
- ·CVE-2017-11771 is NOT related to EternalBlue/WannaCry/Petya SMB vulnerabilities — do not conflate SMB-based detection rules for those campaigns with this vulnerability ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_msrc8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9vvc-6v43-39qc: The Microsoft Windows Search component on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
ghsa_unreviewed·2022-05-13
CVE-2017-11771 [CRITICAL] CWE-20 GHSA-9vvc-6v43-39qc: The Microsoft Windows Search component on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
The Microsoft Windows Search component on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows a remote code execution vulnerability when it fails to properly handle DNS responses, aka "Windows Search Remote Code Execution Vulnerability".
Microsoft
Windows Search Remote Code Execution Vulnerability
vendor_msrc·2017-10-10·CVSS 8.1
CVE-2017-11771 [CRITICAL] Windows Search Remote Code Execution Vulnerability
Windows Search Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit the vulnerability, the attacker could send specially crafted messages to the Windows Search service. An attacker with access to a target computer could exploit this vulnerability to elevate privileges and take control of the computer. Additionally, in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target com
No detection rules found.
No public exploits indexed.
Qualys
October Patch Tuesday: 28 Critical Microsoft Vulnerabilities | Qualys
blogs_qualys·2017-10-10·CVSS 8.8
CVE-2017-11826 [HIGH] October Patch Tuesday: 28 Critical Microsoft Vulnerabilities | Qualys
Today Microsoft released patches covering 62 vulnerabilities as part of October’s Patch Tuesday update, with 30 of them affecting Windows. Patches covering 28 of these vulnerabilities are labeled as Critical, and 33 can result in Remote Code Execution. According to Microsoft, a vulnerability in Microsoft Office is being actively exploited in the wild.
Top priority for patching should go to a vulnerability in Microsoft Office, CVE-2017-11826, which Microsoft has ranked as “Important” and is actively being exploited in the wild.
Priority should also be given to CVE-2017-11771, which is a vulnerability in the Windows Search service. This is the fourth Patch Tuesday this year to feature a vulnerability in this service. As with the others, this vulnerability can be exploited remotely via SMB
Qualys
October Patch Tuesday: 28 Critical Microsoft Vulnerabilities
blogs_qualys·2017-10-10·CVSS 8.8
CVE-2017-11826 [HIGH] October Patch Tuesday: 28 Critical Microsoft Vulnerabilities
Today Microsoft released patches covering 62 vulnerabilities as part of October’s Patch Tuesday update, with 30 of them affecting Windows. Patches covering 28 of these vulnerabilities are labeled as Critical, and 33 can result in Remote Code Execution. According to Microsoft, a vulnerability in Microsoft Office is being actively exploited in the wild.
Top priority for patching should go to a vulnerability in Microsoft Office, CVE-2017-11826 , which Microsoft has ranked as “Important” and is actively being exploited in the wild.
Priority should also be given to CVE-2017-11771 , which is a vulnerability in the Windows Search service. This is the fourth Patch Tuesday this year to feature a vulnerability in this service. As with the others, this vulnerability can be exploited remotely via SM
Talos
Microsoft Patch Tuesday - October 2017
blogs_talos·2017-10-10·CVSS 8.8
[HIGH] Microsoft Patch Tuesday - October 2017
## Microsoft Patch Tuesday - October 2017
Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 63 new vulnerabilities with 28 of them rated critical and 35 rated important. These vulnerabilities impact Graphics, Edge, Internet Explorer, Office, Sharepoint, Windows Graphic Display Interface, Windows Kernel Mode Drivers, and more.
## Vulnerabilities Rated Critical The following vulnerabilities are rated "Critical" by Microsoft:
CVE-2017-11813 - Internet Explorer Memory Corruption Vulnerability
CVE-2017-11822 - Internet Explorer Memory Corruption Vulnerability
CVE-2017-11762 - Microsoft Graphics Remote Code Execution Vulnerability
CVE-2017-11763 - Microsoft G
Talos
Microsoft Patch Tuesday - October 2017
blogs_talos·2017-10-10·CVSS 8.8
[HIGH] Microsoft Patch Tuesday - October 2017
Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 63 new vulnerabilities with 28 of them rated critical and 35 rated important. These vulnerabilities impact Graphics, Edge, Internet Explorer, Office, Sharepoint, Windows Graphic Display Interface, Windows Kernel Mode Drivers, and more.
## Vulnerabilities Rated CriticalThe following vulnerabilities are rated "Critical" by Microsoft:
- CVE-2017-11813 - Internet Explorer Memory Corruption Vulnerability
- CVE-2017-11822 - Internet Explorer Memory Corruption Vulnerability
- CVE-2017-11762 - Microsoft Graphics Remote Code Execution Vulnerability
- CVE-2017-11763 - Microsoft Graphics Remote Code Execution Vulnerabi
http://www.securityfocus.com/bid/101114http://www.securitytracker.com/id/1039538https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11771http://www.securityfocus.com/bid/101114http://www.securitytracker.com/id/1039538https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11771
2017-10-13
Published