This vulnerability got patched during August update. https://threatpost.com/microsoft-patches-critical-windows-search-vulnerability/127303/ Bo
Yes, I know. I just wonder if disabling Search service would prevent possible exploit or would Search have to be removed entirely to mitigate it.
Appears the primary issue would be on an unpatched Enterprise based server or endpoint. Also appears the vulnerability is related to the service only. Believe its primary purpose is to facilitate indexing which some already have turned off. Ref.: https://msdn.microsoft.com/en-us/library/windows/desktop/aa965362(v=vs.85).aspx
Well, disabling the search service would definitely decrease the chances of the vulnerability becoming exploited, however a malware sample could easily start the service manually via the service manager. Removing the Search would mitigate it for a manual fix (unless malware dropped it back onto the system and then used it), but for a practical mitigation it would require Microsoft to patch the vulnerability (and if it wasn't already patched, a security product could temporarily prevent unknown running processes from communicating with the Search service so the exploit cannot be deployed). But, messing with removing Windows components like the Search is not really practical and can cause potential problems.
Also time to review basic SMB security: 1. Using an IDS, access to admin shares should be blocked/restricted. 2. Using a firewall, ports used by SMB, i.e. 137-138, and 445, should be restricted to local network access only.
Patching Against the Next WannaCry Vulnerability (CVE-2017-8620) http://www.securityweek.com/patching-against-next-wannacry-vulnerability-cve-2017-8620
