determined - Fotolia

Windows NTLM vulnerabilties addressed in July 2017 Patch Tuesday

Client-side security takes the forefront in Microsoft's July 2017 Patch Tuesday, which includes a fix for legacy Windows NTLM authentication processes.

Microsoft's July 2017 Patch Tuesday fixes targeted more than 50 vulnerabilities across Microsoft products and services, including 19 critical flaws and an important fix for Windows NTLM vulnerabilities.

According to Greg Wiseman, senior security researcher for Rapid7, "most of the critical vulnerabilities patched this month concern client-side systems, with 14 separate remote code execution (RCE) issues being addressed for the Microsoft Edge browser and five for Internet Explorer. One of the three Adobe Flash Player vulnerabilities being patched is also a critical RCE bug (CVE-2017-3099). Of the 54 Microsoft CVEs addressed, 33 relate to Edge and 14 to Internet Explorer." 

One of the top security issues tackled in Patch Tuesday was CVE-2017-8589 -- a vulnerability in the Windows Search service that can be exploited via the Windows Server Message Block (SMB) protocol.

"This vulnerability can be exploited remotely via SMB to take complete control of a system, and can impact both servers and workstations. The issue affects Windows Server 2016, 2012, 2008 R2, 2008 as well as desktop systems like Windows 10, 7 and 8.1," Jimmy Graham, director of product management at Qualys, Inc., wrote in a blog post. "While this vulnerability can leverage SMB as an attack vector, this is not a vulnerability in SMB itself, and is not related to the recent SMB vulnerabilities leveraged by EternalBlue, WannaCry, and Petya."

Wiseman added that this flaw is one that "typically requires access to the target computer" but is made more dangerous because of the attack vector via the SMB protocol.

Windows NTLM vulnerabilities

Aside from the various critical Windows vulnerabilities, which Tyler Reguly, manager of the vulnerability and exposure research team at Tripwire Inc., based in Portland, Ore., said were "typical" this month, July Patch Tuesday included a fix for Windows NT LAN Manager (NTLM) authentication that requires more attention from enterprise staff.

The two vulnerabilities were discovered and reported to Microsoft by the research team at Preempt and affect Windows NTLM, which is a suite of legacy authentication protocols that were replaced by Kerberos in Windows 2000, but are still available as part of backwards compatibility within the Windows authentication API.

According to Yaron Zinar, security researcher for behavioral authentication vendor Preempt, "these issues are particularly significant as they can potentially allow an attacker to create new domain administrator accounts even when best-practice controls such as LDAP server signing and RDP restricted admin mode are enabled."

Reguly said the flaw requires more than just a patch.

"It is worth calling attention to this vulnerability that allows for privilege escalation when falling back from Kerberos to NTLM authentication," he said. "After applying this patch to clients, an additional change must be made to the domain controller to actually mitigate the vulnerability. Without the patch, the mitigation will break authentication and without the mitigation the vulnerability will persist."

Graham told SearchSecurity that the concern surrounding these Windows NTLM vulnerabilities is that "successful exploitation will give an attacker elevated access to domain controllers, which might lead to full control over the attacked network. In general, coordinated full disclosure of any vulnerability is a very good idea. The process helps improve overall security and gives consumers a chance to make better assessments of risk and threats to their environment."

Chris Goettl, product manager with endpoint security vendor Ivanti, said the Windows NTLM vulnerabilities Preempt found "were not trivial or to be brushed off, but they are probably getting a little more hype than is warranted." 

"Of course, Preempt is going to take advantage of this as a marketing opportunity. The company has research invested and a perfect opportunity to show its value," Goettl told SearchSecurity. "That said, there were four public disclosures (not these two vulnerabilities) that were disclosed before the updates were released, which gives attackers an opportunity to take advantage of the additional time to exploit them before companies could put updates in place. There was also another Windows Search exploit that can be remotely exploited over SMB that scored a higher CVSS score than the vulnerabilities Preempt is referring to." 

Other patches of note

Experts said there were other interesting patches to pay attention to in the July Patch Tuesday release.

Bobby Kuzma, security researcher at Core Security, pointed out CVE-2017-8570, a vulnerability in Microsoft Office as a strange one.

"This one's curious. It impacts the 2013 RT edition for tablets and mobile, which are ARM devices [as well as 32 and 64-bit versions of] Office 2007, 2010, 2013, and 2016," Kuzma told SearchSecurity. "It's very unusual to see something cross architecture like that, which points at this being in a common middleware layer."

Experts also pointed to CVE-2017-8584 as noteworthy because it is the first patch Microsoft has released for its HoloLens headset.

"A RCE in the new-fangled augmented reality gadget. We are truly living in the future," Kuzma said.

Next Steps

Catch up on the June 2017 Patch Tuesday news.

Learn more about how Kerberos protocol vulnerabilities can be mitigated.

Find out how the vulnerability remediation of the WannaCry flaw raised questions.

Dig Deeper on Application and platform security