Microsoft's Patch Tuesday for this month falls the day before the most romantic day of the year.
Yes, it's Valentine's, and the tech giant has released its monthly
security update for February 2018, addressing a total of 50 CVE-listed
vulnerabilities in its Windows operating system, Microsoft Office, web
browsers and other products.
Fourteen of the security updates are listed as critical, 34 are rated as
important, and 2 of them are rated as moderate in severity.
The critical update patches serious security flaws in Edge browser and
Outlook client, an RCE in Windows' StructuredQuery component, and
several memory corruption bugs in the scripting engines used by Edge and
Internet Explorer.
Critical Microsoft Outlook Vulnerability
One of the most severe bugs includes a memory corruption vulnerability (CVE-2018-0852) in Microsoft Outlook, which can be exploited to achieve remote code execution on the targeted machines.
In order to trigger the vulnerability, an attacker needs to trick a
victim into opening a maliciously crafted message attachment or viewing
it in the Outlook Preview Pane. This would allow the arbitrary code
inside the malicious attachment to execute in the context of the
victim's session.
If the victim is logged on with administrative user rights, the attacker
could take control of the affected system, eventually allowing them to
install programs, create new accounts with full user rights, or view,
change or delete data.
"What’s truly frightening with this bug is that the Preview Pane is an
attack vector, which means simply viewing an email in the Preview Pane
could allow code execution," explained the Zero Day Initiative (ZDI).
"The end user targeted by such an attack doesn’t need to open or click
on anything in the email – just view it in the Preview Pane. If this bug
turns into active exploits – and with this attack vector, exploit
writers will certainly try – unpatched systems will definitely suffer."
The second Outlook vulnerability (CVE-2018-0850),
rated as important, is a privilege escalation flaw that can be
leveraged to force the affected version of Outlook to load a message
store over SMB from a local or remote server.
Attackers can exploit the vulnerability by sending a specially crafted
email to an Outlook user, and since the bug can be exploited when the
message is merely received (before it is even opened), the attack could
take place without any user interaction.
"Outlook would then attempt to open a pre-configured message store
contained in the email upon receipt of the email," Microsoft explains in
its advisory. "This update addresses the vulnerability by ensuring
Office fully validates incoming email formatting before processing
message content."
Both the Outlook vulnerabilities have been discovered and reported to
the tech giant by Microsoft's researcher Nicolas Joly and former Pwn2Own
winner.
Critical Microsoft Edge Vulnerability
Another critical flaw, which is an information disclosure vulnerability (CVE-2018-0763), resides in Microsoft Edge that exists due to Microsoft Edge's improperly handling of objects in the memory.
An attacker can exploit this vulnerability to successfully obtain
sensitive information to compromise the victim's machine further.
"To exploit the vulnerability, in a web-based attack scenario, an
attacker could host a website in an attempt to exploit the
vulnerability. In addition, compromised websites and websites that
accept or host user-provided content could contain specially crafted
content that could exploit the vulnerability," Microsoft explains.
"However, in all cases an attacker would have no way to force a user
to view the attacker-controlled content. Instead, an attacker would have
to convince a user to take action. For example, an attacker could trick
a user into clicking a link that takes the user to the attacker's
site."
Other critical issues include several Scripting Engine Memory Corruption
vulnerabilities in Microsoft Edge that could be exploited to achieve
remote code execution in the context of the current user.
Microsoft Edge flaw (CVE-2018-0839),
rated as important, is an information disclosure vulnerability that
exists due to Microsoft Edge improper handling of objects in the memory.
Successful exploitation of the bug could allow attackers to obtain
sensitive information to compromise the user's system further.
Internet Explorer also got a patch to address an information disclosure vulnerability (CVE-2018-0847), rated important, that would let a webpage use VBScript to fetch stored information from memory.
Publicly Disclosed Vulnerability Before Being Patched
Although the list of patched vulnerabilities does not include any zero-day flaws, one of the security flaws (CVE-2018-0771) in Microsoft Edge was publicly known before the company released patches, but was not listed as being under active attack.
Listed as Moderate, the issue is a Same-Origin Policy (SOP) bypass
vulnerability which occurs due to Microsoft Edge's improper handling of
requests of different origins.
The vulnerability could allow an attacker to craft a webpage to bypass
the SOP restrictions and get the browser to send data from other
sites--requests that should otherwise be ignored due to the SOP
restrictions on place.
Meanwhile, Adobe on Tuesday also released
security updates for its Acrobat, Reader and Experience Manager
products to address a total of 41 security vulnerabilities, out of which
17 are rated as critical and 24 important in severity.
Users are strongly advised to apply security patches as soon as possible
to keep hackers and cybercriminals away from taking control of their
computers.
For installing security updates, simply head on to Settings → Update
& security → Windows Update → Check for updates, or you can install
the updates manually.
Source
No comments:
Write comments