Microsoft's Patch Tuesday for this month falls the day before the most romantic day of the year.
Yes, it's Valentine's, and the tech giant has released its monthly security update for February 2018, addressing a total of 50 CVE-listed vulnerabilities in its Windows operating system, Microsoft Office, web browsers and other products.
Fourteen of the security updates are listed as critical, 34 are rated as important, and 2 of them are rated as moderate in severity.
The critical update patches serious security flaws in Edge browser and Outlook client, an RCE in Windows' StructuredQuery component, and several memory corruption bugs in the scripting engines used by Edge and Internet Explorer.
Critical Microsoft Outlook Vulnerability
One of the most severe bugs includes a memory corruption vulnerability (CVE-2018-0852) in Microsoft Outlook, which can be exploited to achieve remote code execution on the targeted machines.
In order to trigger the vulnerability, an attacker needs to trick a victim into opening a maliciously crafted message attachment or viewing it in the Outlook Preview Pane. This would allow the arbitrary code inside the malicious attachment to execute in the context of the victim's session.
If the victim is logged on with administrative user rights, the attacker could take control of the affected system, eventually allowing them to install programs, create new accounts with full user rights, or view, change or delete data.
"What’s truly frightening with this bug is that the Preview Pane is an attack vector, which means simply viewing an email in the Preview Pane could allow code execution," explained the Zero Day Initiative (ZDI).
"The end user targeted by such an attack doesn’t need to open or click on anything in the email – just view it in the Preview Pane. If this bug turns into active exploits – and with this attack vector, exploit writers will certainly try – unpatched systems will definitely suffer."
The second Outlook vulnerability (CVE-2018-0850), rated as important, is a privilege escalation flaw that can be leveraged to force the affected version of Outlook to load a message store over SMB from a local or remote server.
Attackers can exploit the vulnerability by sending a specially crafted email to an Outlook user, and since the bug can be exploited when the message is merely received (before it is even opened), the attack could take place without any user interaction.
"Outlook would then attempt to open a pre-configured message store contained in the email upon receipt of the email," Microsoft explains in its advisory. "This update addresses the vulnerability by ensuring Office fully validates incoming email formatting before processing message content."
Both the Outlook vulnerabilities have been discovered and reported to the tech giant by Microsoft's researcher Nicolas Joly and former Pwn2Own winner.
Critical Microsoft Edge Vulnerability
Another critical flaw, which is an information disclosure vulnerability (CVE-2018-0763), resides in Microsoft Edge that exists due to Microsoft Edge's improperly handling of objects in the memory.
Source: The Hacker News
No comments:
Post a Comment