CVE-2017-8589
published 2017-07-11CVE-2017-8589: Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and…
PriorityP265critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
26.16%
97.7th percentile
Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows a remote code execution vulnerability due to the way that Windows Search handles objects in memory, aka "Windows Search Remote Code Execution Vulnerability".
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1703 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for specially crafted SMB messages targeting the Windows Search service (WSearch); remote unauthenticated exploitation is possible over SMB from outside the network. ↗
- →Prioritize detection on both servers and workstations; the vulnerability affects Windows Search service across Windows 7/8.1/10 and Windows Server 2008/2012/2016. ↗
- ·CVE-2017-8589 exploits Windows Search via SMB but is NOT a vulnerability in SMB itself; do not conflate with EternalBlue/WannaCry/Petya SMB detections. ↗
- ·At time of patch release, no in-the-wild exploitation was confirmed, but Microsoft rated exploitation as 'More Likely' for both latest and older software releases. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Windows Search Remote Code Execution Vulnerability
vendor_msrc·2017-07-11·CVSS 9.8
CVE-2017-8589 [CRITICAL] Windows Search Remote Code Execution Vulnerability
Windows Search Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit the vulnerability, the attacker could send specially crafted messages to the Windows Search service. An attacker with access to a target computer could exploit this vulnerability to elevate privileges and take control of the computer. Additionally, in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target com
GHSA
GHSA-54hw-ww7h-fvm8: Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8
ghsa_unreviewed·2022-05-13
CVE-2017-8589 [CRITICAL] CWE-281 GHSA-54hw-ww7h-fvm8: Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8
Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows a remote code execution vulnerability due to the way that Windows Search handles objects in memory, aka "Windows Search Remote Code Execution Vulnerability".
No detection rules found.
No public exploits indexed.
Qualys
July Patch Tuesday: 19 Critical Vulnerabilities from Microsoft, plus Critical Adobe Patches | Qualys
blogs_qualys·2017-07-11·CVSS 7.8
CVE-2017-8589 [HIGH] July Patch Tuesday: 19 Critical Vulnerabilities from Microsoft, plus Critical Adobe Patches | Qualys
Today Microsoft released patches covering 54 vulnerabilities as part of July’s Patch Tuesday update, with 26 of them affecting Windows. Patches covering 19 of these vulnerabilities are labeled as Critical, all of which can result in Remote Code execution. According to Microsoft, none of these vulnerabilities are currently being exploited in the wild.
Top priority for patching should go to CVE-2017-8589, which is a vulnerability in the Windows Search service. This vulnerability can be exploited remotely via SMB to take complete control of a system, and can impact both servers and workstations. The issue affects Windows Server 2016, 2012, 2008 R2, 2008 as well as desktop systems like Windows 10, 7 and 8.1. While this vulnerability can leverage SMB as an attack vector, this is not a vulnerab
Qualys
July Patch Tuesday: 19 Critical Vulnerabilities from Microsoft, plus Critical Adobe Patches
blogs_qualys·2017-07-11·CVSS 7.8
CVE-2017-8589 [HIGH] July Patch Tuesday: 19 Critical Vulnerabilities from Microsoft, plus Critical Adobe Patches
Today Microsoft released patches covering 54 vulnerabilities as part of July’s Patch Tuesday update, with 26 of them affecting Windows. Patches covering 19 of these vulnerabilities are labeled as Critical, all of which can result in Remote Code execution. According to Microsoft, none of these vulnerabilities are currently being exploited in the wild.
Top priority for patching should go to CVE-2017-8589 , which is a vulnerability in the Windows Search service. This vulnerability can be exploited remotely via SMB to take complete control of a system, and can impact both servers and workstations. The issue affects Windows Server 2016, 2012, 2008 R2, 2008 as well as desktop systems like Windows 10, 7 and 8.1. While this vulnerability can leverage SMB as an attack vector, this is not a vulnera
Talos
Microsoft Patch Tuesday - July 2017
blogs_talos·2017-07-11·CVSS 7.8
CVE-2017-8463 [HIGH] Microsoft Patch Tuesday - July 2017
Today, Microsoft has release their monthly set of security updates designed to address vulnerabilities. This month's release addresses 54 vulnerabilities with 19 of them rated critical, 32 rated important, and 3 rated moderate. Impacted products include Edge, .NET Framework, Internet Explorer, Office, and Windows.
### Vulnerabilities Rated Critical
#### CVE-2017-8463
This is a remote code execution vulnerability related to the way that Windows Explorer handles executable files and shares during rename operations. If exploited this vulnerability could run arbitrary code, users not running as administrators would be less affected. This vulnerability can be triggered via a malicious share folder and malware named with an executable extension.
#### CVE-2017-8584 A remote code execution vul
http://www.securityfocus.com/bid/99425http://www.securitytracker.com/id/1038866https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8589http://www.securityfocus.com/bid/99425http://www.securitytracker.com/id/1038866https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8589
2017-07-11
Published