CVE-2017-8543
published 2017-06-15CVE-2017-8543: Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8, Windows 8.1…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-06-14
Exploited in the wild
EPSS
73.76%
99.4th percentile
Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to take control of the affected system when Windows Search fails to handle objects in memory, aka "Windows Search Remote Code Execution Vulnerability".
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| microsoft_corporation | microsoft_windows | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1703 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered by specially crafted messages sent to the Windows Search service (WSearch); monitor for anomalous or malformed inbound traffic targeting the Windows Search service. ↗
- →In enterprise/network scenarios, exploitation is delivered over an SMB connection to the Windows Search service; monitor for unexpected SMB connections that interact with WSearch, particularly from unauthenticated or external sources. ↗
- →CVE-2017-8543 is confirmed exploited in the wild; treat any unpatched Windows Search service exposure as actively targeted. ↗
- →Monitor for post-exploitation activity: program installation, data access/modification/deletion, and new account creation with full user rights following WSearch service anomalies. ↗
- ·Microsoft issued patches for out-of-support platforms (Windows XP, Server 2003) due to active exploitation; these patches are available but do not represent a change in standard servicing policy. ↗
- ·Disabling the WSearch service (setting registry Start value to 4 and running 'sc stop WSearch') is the documented workaround, but it will make Windows Search functionality unavailable to all applications relying on it. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_msrc8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w5g9-xvwm-4qf8: Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8, Wi
ghsa_unreviewed·2022-05-13
CVE-2017-8543 [CRITICAL] CWE-281 GHSA-w5g9-xvwm-4qf8: Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8, Wi
Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to take control of the affected system when Windows Search fails to handle objects in memory, aka "Windows Search Remote Code Execution Vulnerability".
VulnCheck
Microsoft Windows Search Remote Code Execution Vulnerability
vulncheck·2017·CVSS 9.8
CVE-2017-8543 [CRITICAL] CWE-281 Microsoft Windows Search Remote Code Execution Vulnerability
Microsoft Windows Search Remote Code Execution Vulnerability
Microsoft Windows allows an attacker to take control of the affected system when Windows Search fails to handle objects in memory.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2017-Jun; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-06-14
CISA
Microsoft Windows Search Remote Code Execution Vulnerability
cisa·2022-05-24·CVSS 9.8
CVE-2017-8543 [CRITICAL] CWE-281 Microsoft Windows Search Remote Code Execution Vulnerability
Vulnerability: Microsoft Windows Search Remote Code Execution Vulnerability
Affected: Microsoft Windows
Microsoft Windows allows an attacker to take control of the affected system when Windows Search fails to handle objects in memory.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-8543
Remediation Due Date: 2022-06-14
Microsoft
Windows Search Remote Code Execution Vulnerability
vendor_msrc·2017-06-13·CVSS 8.1
CVE-2017-8543 [CRITICAL] Windows Search Remote Code Execution Vulnerability
Windows Search Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit the vulnerability, the attacker could send specially crafted messages to the Windows Search service. An attacker with access to a target computer could exploit this vulnerability to elevate privileges and take control of the computer. Additionally, in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target com
No detection rules found.
No public exploits indexed.
Krebs
Microsoft, Adobe Ship Critical Fixes
blogs_krebs·2017-06-13·CVSS 9.8
CVE-2017-8543 [CRITICAL] Microsoft, Adobe Ship Critical Fixes
Microsoft today released security updates to fix almost a hundred flaws in its various Windows operating systems and related software. One bug is so serious that Microsoft is issuing patches for it on Windows XP and other operating systems the company no longer officially supports. Separately, Adobe has pushed critical updates for its Flash and Shockwave players, two programs most users would probably be better off without.
Microsoft this month is fixing another serious flaw (CVE-2017-8543) present in most versions of Windows that resides in the feature of the operating system which handles file and printer sharing (also known as “Server Message Block” or the SMB service).
SMB vulnerabilities can be extremely dangerous if left unpatched on a local (internal) corporate network. That’s bec
Talos
Microsoft Patch Tuesday - June 2017
blogs_talos·2017-06-13·CVSS 8.8
CVE-2017-0283 [HIGH] Microsoft Patch Tuesday - June 2017
Today, Microsoft has release their monthly set of security updates designed to address vulnerabilities. This month's release addresses 92 vulnerabilities with 17 of them rated critical and 75 rated important. Impacted products include Edge, Internet Explorer, Office, Sharepoint, Skype for Business, Lync, and Windows.
### Vulnerabilities Rated Critical
#### CVE-2017-0283 This is a remote code execution vulnerability in Windows Uniscribe related to improper handling of objects in memory. The attack can result in the attacker gaining full control of the affected system. This can be exploited through multiple vectors including viewing a specially crafted website or a user opening a specially crafted document file.
#### CVE-2017-0291 / CVE-2017-0292 These are remote code execution vulnerabil
Qualys
Microsoft Fixes 94 Security Issues in Massive June Update | Qualys
blogs_qualys·2017-06-13·CVSS 8.1
[HIGH] Microsoft Fixes 94 Security Issues in Massive June Update | Qualys
Today Microsoft released patches to fix 94 vulnerabilities out of which 27 fix remote code execution issues which can allow an attackers to remotely take control of victim machines. This is a massive update and fixes more than double the number of vulnerabilities as compared to the last two months.
Microsoft also released Security Advisory 4025685 which includes patches for older platforms due to heightened risk of exploitation. In my opinion this should be treated as a blue-print for future attacks and updates for EOL operating systems should be applied as soon as possible. Older platforms include Windows XP, Windows Server 2003, Vista and Windows 8 and older issues like MS08-067, MS09-050, MS10-061, MS14-068, MS17-010, MS17-013 are patched. Newer issues affecting older platforms like CV
Qualys
Microsoft Fixes 94 Security Issues in Massive June Update
blogs_qualys·2017-06-13·CVSS 8.1
[HIGH] Microsoft Fixes 94 Security Issues in Massive June Update
Today Microsoft released patches to fix 94 vulnerabilities out of which 27 fix remote code execution issues which can allow an attackers to remotely take control of victim machines. This is a massive update and fixes more than double the number of vulnerabilities as compared to the last two months.
Microsoft also released Security Advisory 4025685 which includes patches for older platforms due to heightened risk of exploitation. In my opinion this should be treated as a blue-print for future attacks and updates for EOL operating systems should be applied as soon as possible. Older platforms include Windows XP, Windows Server 2003, Vista and Windows 8 and older issues like MS08-067, MS09-050, MS10-061, MS14-068, MS17-010, MS17-013 are patched. Newer issues affecting older platforms like CV
Krebs
Microsoft, Adobe Ship Critical Fixes – Krebs on Security
blogs_krebs·2017-06-01·CVSS 9.8
[CRITICAL] Microsoft, Adobe Ship Critical Fixes – Krebs on Security
Microsoft today released security updates to fix almost a hundred flaws in its various Windows operating systems and related software. One bug is so serious that Microsoft is issuing patches for it on Windows XP and other operating systems the company no longer officially supports. Separately, Adobe has pushed critical updates for its Flash and Shockwave players, two programs most users would probably be better off without.
According to security firm Qualys , 27 of the 94 security holes Microsoft patches with today’s release can be exploited remotely by malware or miscreants to seize complete control over vulnerable systems with little or no interaction on the part of the user.
Microsoft this month is fixing another serious flaw (CVE-2017-8543) present in most versions of Windows that re
Zscaler
Zscaler found Multiple Security Vulnerabilities | 06-13-2017
blogs_zscaler·CVSS 8.8
[HIGH] Zscaler found Multiple Security Vulnerabilities | 06-13-2017
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://www.securityfocus.com/bid/98824http://www.securitytracker.com/id/1038667https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8543http://www.securityfocus.com/bid/98824http://www.securitytracker.com/id/1038667https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8543https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-8543
2017-06-15
Published
2022-05-24
Added to CISA KEV
Exploited in the wild