By Microsoft Patched fifty vulnerabilities in Windows, Office and the web browsers of the company. It was revealed by the company on Tuesday as February 2018 updates, but the list does not seem to comprise any zero-day vulnerabilities.
Fourteen of the security flaws have been evaluated serious, containing an information revelation vulnerability in Edge, a memory exploitation in Outlook, a distant code implementation flaw in Windows’ StructuredQuery element, and various memory exploitations in the scripting engines employed by Edge and Internet Explorer. One flaw, CVE-2018-0771, was openly exposed before Microsoft announced fixes. The problem is a Same-Origin Policy (SOP) avoid that survives as a result of the way Edge manages wishes of various origins.
“An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted,” Microsoft said. The company believes it’s unlikely that this flaw, which it has rated “important,” will be exploited in attacks.
Among these flaws, two of the most exciting flaws fixed this month are Outlook flaws exposed by Microsoft’s own Nicolas Joly. One of the vulnerabilities, CVE-2018-0852, can be corrupted to implement random code in the context of a customer’s session by receiving the object to run a particularly crafted file with a pretentious version of Outlook.
“What’s truly frightening with this bug is that the Preview Pane is an attack vector, which means simply viewing an email in the Preview Pane could allow code execution,” explained Dustin Childs of the Zero Day Initiative (ZDI). “The end user targeted by such an attack doesn’t need to open or click on anything in the email – just view it in the Preview Pane. If this bug turns into active exploits – and with this attack vector, exploit writers will certainly try – unpatched systems will definitely suffer.”
The additional Outlook flaw identified by Joly is an honor appreciation issue (CVE-2018-0850) that can be influenced to power Outlook to load a local or distant message store. The vulnerability can be corrupted by sending a particularly crafted email to an Outlook user.
“The email would need to be fashioned in a manner that forces Outlook to load a message store over SMB. Outlook attempts to open the pre-configured message on receipt of the email. You read that right – not viewing, not previewing, but upon receipt. That means there’s a potential for an attacker to exploit this merely by sending an email,” Childs said, pointing out that such a vulnerability would have earned Joly a prize in ZDI’s Pwn2Own competition.
Microsoft’s updates fix a complete of thirty four significant and two reasonable serious flaws. Microsoft updated the Adobe Flash Player this month some time ago the elements used by its products to mention two flaws, containing a zero-day supposed to have been corrupted by North Korean threat actors. Adobe on Tuesday announced updates for its Acrobat, Reader and Experience Manager Products to mention forty one security flaws.
