Microsoft has released "critical" patches for all supported versions of its Windows operating system this week (Tuesday 8 August). One bug – if exploited – could let a hacker take control of a computer, install malicious programs, delete information or create new user accounts.
The flaw, officially described as a "remote code execution vulnerability" exists in Windows Search and needs to be urgently updated. It can be exploited with the use of a "specially crafted message" and, in enterprise systems, could even be triggered via SMB connections.
In total, Microsoft released 48 security fixes as part of its August batch of releases, dubbed "Patch Tuesday".
Of these, 25 were listed as critical, 21 were rated important, and two others were described as moderate in severity. Windows, Internet Explorer (IE) and Edge were all namechecked as being at risk.
The Zero Day Initiative, a Trend Micro platform for responsibly disclosing vulnerabilities, said the Windows Search bug is "pretty close to wormable and just the sort of thing malware writers look for in a bug."
SMB, or Server Message Block, was the protocol that enabled the quick spread of the "WannaCry" ransomware back in May.
The Search flaw was labelled CVE-2017-8620 and the full run-down can be viewed here.
Adobe, which releases fixes on the same schedule as Microsoft, also pushed out two critical updates for its Flash Player, which is rapidly approaching its end-of-life. Additionally, two urgent patches were touted for its Digital Edition and Adobe Reader DC product suites.
"Focus your immediate attention on the OS, Flash, Reader, and browser updates," commented Chris Goettl, a product manager with enterprise security company Ivanti. "The quicker we can plug critical vulnerabilities the lower our overall risk will be."
"There are a number of critical vulnerabilities resolved here and a few disclosures in the OS updates which give attackers a bit of a head start on developing an exploit. As the first half of 2017 has shown us, time is a significant variable in defending computers against threats."