This month’s Patch Tuesday includes fixes for more than 50 vulnerabilities in Windows, Office, Internet Explorer, Edge and, of course, Adobe Flash Player.
Microsoft has rolled out the bug fixes this week, with a high proportion of them labelled “critical”.
There are 55 fixes in total, but it is Adobe that takes top spot for vulnerabilities in Flash, according to the SANS Internet Storm Center, although the company was shamed into finally rushing out a fix for it last week.
The end user targeted by such an attack doesn’t need to open or click on anything in the email – just view it in the Preview pane
“According to Adobe and reports from the Korean Computer Emergency Response Team (KR-CERT), one of the vulnerabilities has already been exploited, so I am marking it differently here, and assign it a ‘Patch Now’ rating,” it wrote.
“Not much detail has been made public yet about this vulnerability, which is why I am leaving the ‘Disclosed’ rating at ‘No’,” it added.
Despite the fact that the perennially insecure Flash Player will be discontinued by 2020, it is still a widely used plug-in in many different browsers.
Although Adobe has taken top-spot for its 10-out-of-10 rated security flaw in Flash, there’s still been plenty to keep
Top of Microsoft’s to-do list this month has been one of two particular flaws in Outlook, CVE-2018-0852, the company’s email client.
The remote code execution vulnerability could give an attacker full control of a targeted system if the user is logged on with administrative user rights, Microsoft warns.
Outlook attempts to open the pre-configured message on receipt of the email. You read that right – not viewing, not previewing, but upon receipt
Indeed, the flaw can be exploited by attackers in the Outlook preview pane, making it especially critical for individuals and organisations to update ASAP.
“What’s truly frightening with this bug is that the Preview Pane is an attack vector, which means simply viewing an email in the Preview Pane could allow code execution,” warned Trend Micro’s Zero-day Initiative in a blog posting.
It continued: “The end user targeted by such an attack doesn’t need to open or click on anything in the email – just view it in the Preview pane. If this bug turns into active exploits – and with this attack vector, exploit writers will certainly try – unpatched systems will definitely suffer.”
Attributed to Pwn2Own bug-hunter Nicolas Joly, “this bug occurs when an attacker sends a maliciously crafted email to a victim. The email would need to be fashioned in a manner that forces Outlook to load a message store over SMB [messaging protocol].
“Outlook attempts to open the pre-configured message on receipt of the email. You read that right – not viewing, not previewing, but upon receipt. That means there’s a potential for an attacker to exploit this merely by sending an email,” warns ZDI.
“An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system,” warned Microsoft.
In addition, there were also out-of-band patches for Microsoft Office’s Equation Editor, issued in January, that users ought to have patched by now – but may not have done.
SANS also added an update about the Spectre CPU security flaw that has been occupying Intel, in particular, for much of the new year. “The ‘Spectre’ advisory (ADV180002) was originally released in January, but underwent several updates since then.
“The latest version released today includes references to new updates released for Windows 10 (32-bit). It also states that there is no release schedule for older versions of Windows, but that they are working on releasing updates for pre-Windows 10 operating systems.”
Save this article