The original bulletin from Microsoft’s Security Response Center incorrectly stated that was part of this vulnerability: rather, it has nothing to do with this vulnerability and was not patched. I’m mentioning it here because a Windows user or admin thinking that turning off would stop all vectors to this attack would be wrong and still vulnerable without the patch.
All an attacker needs to is get some code to talk to Windows Search in a malformed way – even locally — to exploit this Windows Search flaw.
When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then.
As always, if you experience any issues downloading or installing any of these updates, please leave a note about it in the comments below. ET: Microsoft has revised its bulletin on the vulnerability for which it issued Windows XP fixes (CVE-2017-8543) to clarify that the problem fixed by the patch is in the Windows Search service, not the SMB service as Microsoft previously stated in the bulletin.
“Based on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly,” Doerr wrote.
“Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies,” wrote Eric Doerr, general manager of Microsoft’s Security Response Center.
Qualys says organizations using Microsoft Outlook should pay special attention to a newly patched bug in the popular mail program because attackers can send malicious email and take complete control over the recipient’s Windows machine when users merely view a specially crafted email in Outlook.
Separately, Adobe has issued updates to fix critical security problems with both its Flash Player and Shockwave Player.
“The best protection is to be on a modern, up-to-date system that incorporates the latest defense-in-depth innovations.
Older systems, even if fully up-to-date, lack the latest security features and advancements.” The default browsers on Windows — Internet Explorer or Edge — get their usual slew of updates this month for many of these critical, remotely exploitable bugs.