The latest Microsoft patch updates include the CVE-2017-8620 vulnerability which has been raising many concerns lately.
CVE-2017-8620 is a wormable bug which is capable of affecting all Windows versions, and more precisely – from 7 onwards.
According to Microsoft, “in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer.”
Researchers from Check Point describe CVE-2017-8620 as ‘The Next WannaCry Vulnerability’, while SANS defines it as ‘more likely’ to be both disclosed and exploited in the future. When this happens, the situation could precisely parallel WannaCry/NotPetya.
The huge concern regarding CVE-2017-8620 is that the vulnerability could be adopted by nation-state actors as they would certainly have all the resources to reveal its potential.
Security researchers are also concerned that since many users did not patch against WannaCry/NotPetya, they might not patch CVE-2017-8620 before it’s exploited.
“Patching will break stuff,” the F-Secure security advisor Sean Sullivan says. “And so you can’t just roll out patches into a live production environment without testing. It’s a matter of time and resources. There’s no escaping the need to test.”
Production environments are hardly the only problem area for IT departments. “Any system with external, highly entangled dependencies will take longer to update,” says Wendy Nather, principal security strategist at Duo Security.
The embedded systems may also prove an increasing problem for patching as the IoT expands.
David Harley, a senior researcher at ESET talks about the “balance between risking difficulties caused by a problematic patch, and risking issues caused by unpatched vulnerabilities” — there are still cases where organizations don’t see patching as a priority. “And that, he adds, “has become more dangerous than ever in recent years.”
Unfortunately, it is certain that there are likely to be many unpatched systems left vulnerable by the time an exploit for CVE-2017-8620 becomes available. So, the question is if patching CVE-2017-8620 is not possible, how should users protect themselves?
The first thing to do is to keep the anti-virus defenses of their systems up to date. The defense in depth specifically aimed at preventing SMB worms will also help.
According to Jarno Niemela from F-Secure, better firewall rules would have done much to mitigate the damage that was done.
Last but not less important, is Microsoft’s recommended temporary mitigation against CVE-2017-8620 which should be deployed: disable the WSearch facility within Windows.
Once the users follow these advices, their systems would be more protected against vulnerabilities.
