• Skip to Content
  • Skip to Main Navigation
  • Skip to Search

Indiana University Indiana University IU

Open Search
  • Personal Preparedness
    • Keeping data safe
    • Email & phishing scams
    • Secure data removal
    • IU passphrases
    • Using social media
    • Web privacy
    • Account privileges
    • Remote Desktop
    • Cybersecurity while traveling
    • Identity verification
    • Hardware & software security
      • Laptop & mobile device security
      • Malware, scareware, & ransomware
      • Storage drives
      • Wearable technologies
      • Protecting data in copiers and multifunction devices
      • Use of survey software
      • Solid State Drives
    • File sharing & copyright
      • Contesting copyright infringement notices
      • Disabling peer-to-peer file sharing
      • Copyright tutorial
      • Copyright infringement incident resolution
  • Information & IT Policies
    • The Policy Hierarchy explained
    • Privacy policies & FAQ
    • Acceptable Use Agreement
    • Information & IT Policy Process
    • Cyber Risk Review
    • Federal & international regulations
    • Indiana Data Protection laws FAQ
    • IT-12.1 Mobile Device Security Standard
  • Information Security & Privacy Program
    • Safeguards
      • Risk assessment and treatment
      • Policy administration
      • Organization
      • Asset management
      • Human resources
      • Physical & environmental security
      • Communications & operations management
      • Identity & access control
      • Information systems acquisition, development, and maintenance
      • Incident management
      • Business continuity management
      • Compliance
    • Governance
    • Principles
  • Protecting Data & Privacy
    • Privacy matters
      • Privacy harms
      • Privacy principles
      • Understanding and protecting privacy
    • Sensitive data
      • Guidelines
    • Sharing institutional data with third parties
  • Resources for IT Professionals
    • Information Risk Assessments
    • SecureMyResearch
    • Cloud computing
    • Audits & requirements
    • Data encryption
    • Back up data
    • Information security best practices
    • CIS Benchmarks
    • Disaster recovery planning
    • Managing employee data
    • Medical device security
    • Transferring data securely
    • Using SSH
    • Additional resources
      • Privacy Notice Generator
      • Training & awareness
      • Incident Response Webservice
      • Penetration test
      • SSL/TLS certificates
      • Vulnerability scanners
  • About
    • Glossary of Terms
    • Trustees Resolution
  • Contact
  • Report an Incident
    • Report Privacy Incident or Request Assistance
    • Emergency IT Incidents
    • Managing Incidents
    • Identity Theft
    • Reporting Suspected Sensitive Data Exposures

Information Security & Policy

  • Home
  • Personal Preparedness
    • Keeping data safe
    • Email & phishing scams
    • Secure data removal
    • IU passphrases
    • Using social media
    • Web privacy
    • Account privileges
    • Remote Desktop
    • Cybersecurity while traveling
    • Identity verification
    • Hardware & software security
    • File sharing & copyright
  • Information & IT Policies
    • The Policy Hierarchy explained
    • Privacy policies & FAQ
    • Acceptable Use Agreement
    • Information & IT Policy Process
    • Cyber Risk Review
    • Federal & international regulations
    • Indiana Data Protection laws FAQ
    • IT-12.1 Mobile Device Security Standard
  • Information Security & Privacy Program
    • Safeguards
    • Governance
    • Principles
  • Protecting Data & Privacy
    • Privacy matters
    • Sensitive data
    • Sharing institutional data with third parties
  • Resources for IT Professionals
    • Information Risk Assessments
    • SecureMyResearch
    • Cloud computing
    • Audits & requirements
    • Data encryption
    • Back up data
    • Information security best practices
    • CIS Benchmarks
    • Disaster recovery planning
    • Managing employee data
    • Medical device security
    • Transferring data securely
    • Using SSH
    • Additional resources
  • Search
  • About
  • Contact
  • Report an Incident
  • Home
  • Security Bulletins
  • Critical patches released by Microsoft on 2017-06-13 / 2017-07-11

Critical patches released by Microsoft on 2017-06-13 / 2017-07-11

Wednesday, June 14, 2017

UPDATE 7-12-2017

The University Information Security Office (UISO) notes that the July Cumulative Security Rollup from Microsoft includes critical patches which specifically references the Windows Search Remote Code Execution vulnerability CVE-2017-8589. This vulnerability was described in the June Cumulative Security Rollup from Microsoft and included in the 2017-06-13 patch set. The patches released by Microsoft on 2017-07-11 offer additional mitigations for the vulnerability as noted by this Microsoft security advisory.

Due to the nature of this vulnerability, UISO recommends that the July Cumulative Security Rollup be applied as soon as possible and with the same priority as the June Cumulative Security Rollup.

Background

On June 13, 2017 Microsoft released a group of critical security patches in its normal patch schedule. Accompanied with this release was a security advisory that warns these "vulnerabilities are at heightened risk of exploitation due to past and threatened nation-state attacks and disclosures."

Impact

While no current exploit is known, the University Information Security Office (UISO) believes there is a greater chance of one being developed rapidly and released into the wild. To prevent the spread of such an exploit, patching outside of normal patch schedules is required. In addition, UISO stands ready to take necessary actions to mitigate significant institutional risk that such an exploit might create. Necessary actions may include blocking vulnerable, but not yet compromised, devices from Indiana University's networks.

Platforms

All versions of Windows are impacted, including out-of-date operating systems like Windows XP and Windows 2003.

Local observations

UISO has seen worm activity from similar Microsoft Server Message Block 1.0 (SMBv1) vulnerabilities like MS17-010.

UISO recommendations

UISO urges that these security patches be applied as soon as possible. Additionally, systems should be configured for automatic management of security updates.

Further reading

No workarounds are recommended. Please patch immediately.

  • https://support.microsoft.com/en-us/help/4025686/microsoft-security-advisory-4025685-guidance-for-supported-platforms
  • https://support.microsoft.com/en-us/help/4025687/microsoft-security-advisory-4025685-guidance-for-older-platforms
  • https://kb.iu.edu/d/arlc
  • https://support.microsoft.com/en-US/help/306525/how-to-configure-and-use-automatic-updates-in-windows
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8589
  • https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8589

Information Security & Policy resources

  • Leading in Cybersecurity
  • IU Data Management

Indiana University

Accessibility | Privacy Notice | Copyright © 2021 The Trustees of Indiana University