Microsoft’s Patch Tuesday for this month falls the day before the most romantic day of the year.
Yes, it’s Valentine’s, and the tech giant has released its monthly security update for February 2018, addressing a total of 50 CVE-listed vulnerabilities in its Windows operating system, Microsoft Office, web browsers and other products.
Fourteen of the security updates are listed as critical, 34 are rated as important, and 2 of them are rated as moderate in severity.
The critical update patches serious security flaws in Edge browser and Outlook client, an RCE in Windows’ StructuredQuery component, and several memory corruption bugs in the scripting engines used by Edge and Internet Explorer.
Critical Microsoft Outlook Vulnerability
One of the most severe bugs includes a memory corruption vulnerability (CVE-2018-0852) in Microsoft Outlook, which can be exploited to achieve remote code execution on the targeted machines.
In order to trigger the vulnerability, an attacker needs to trick a victim into opening a maliciously crafted message attachment or viewing it in the Outlook Preview Pane. This would allow the arbitrary code inside the malicious attachment to execute in the context of the victim’s session.
If the victim is logged on with administrative user rights, the attacker could take control of the affected system, eventually allowing them to install programs, create new accounts with full user rights, or view, change or delete data.
“What’s truly frightening with this bug is that the Preview Pane is an attack vector, which means simply viewing an email in the Preview Pane could allow code execution,” explained the Zero Day Initiative (ZDI).
“The end user targeted by such an attack doesn’t need to open or click on anything in the email – just view it in the Preview Pane. If this bug turns into active exploits – and with this attack vector, exploit writers will certainly try – unpatched systems will definitely suffer.”
The second Outlook vulnerability (CVE-2018-0850), rated as important, is a privilege escalation flaw that can be leveraged to force the affected version of Outlook to load a message store over SMB from a local or remote server.
Attackers can exploit the vulnerability by sending a specially crafted email to an Outlook user, and since the bug can be exploited when the message is merely received (before it is even opened), the attack could take place without any user interaction.
“Outlook would then attempt to open a pre-configured message store contained in the email upon receipt of the email,” Microsoft explains in its advisory. “This update addresses the vulnerability by ensuring Office fully validates incoming email formatting before processing message content.”
Both the Outlook vulnerabilities have been discovered and reported to the tech giant by Microsoft’s researcher Nicolas Joly and former Pwn2Own winner.
Critical Microsoft Edge Vulnerability
Another critical flaw, which is an information disclosure vulnerability (CVE-2018-0763), resides in Microsoft Edge that exists due to Microsoft Edge’s improperly handling of objects in the memory.
An attacker can exploit this vulnerability to successfully obtain sensitive information to compromise the victim’s machine further.
“To exploit the vulnerability, in a web-based attack scenario, an attacker could host a website in an attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability,” Microsoft explains.
“However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could trick a user into clicking a link that takes the user to the attacker’s site.”
Other critical issues include several Scripting Engine Memory Corruption vulnerabilities in Microsoft Edge that could be exploited to achieve remote code execution in the context of the current user.
Microsoft Edge flaw (CVE-2018-0839), rated as important, is an information disclosure vulnerability that exists due to Microsoft Edge improper handling of objects in the memory.
Successful exploitation of the bug could allow attackers to obtain sensitive information to compromise the user’s system further.
Internet Explorer also got a patch to address an information disclosure vulnerability (CVE-2018-0847), rated important, that would let a webpage use VBScript to fetch stored information from memory.
Publicly Disclosed Vulnerability Before Being Patched
Although the list of patched vulnerabilities does not include any zero-day flaws, one of the security flaws (CVE-2018-0771) in Microsoft Edge was publicly known before the company released patches, but was not listed as being under active attack.
Listed as Moderate, the issue is a Same-Origin Policy (SOP) bypass vulnerability which occurs due to Microsoft Edge’s improper handling of requests of different origins.
The vulnerability could allow an attacker to craft a webpage to bypass the SOP restrictions and get the browser to send data from other sites–requests that should otherwise be ignored due to the SOP restrictions on place.
Meanwhile, Adobe on Tuesday also released security updates for its Acrobat, Reader and Experience Manager products to address a total of 41 security vulnerabilities, out of which 17 are rated as critical and 24 important in severity.
Users are strongly advised to apply security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers.
For installing security updates, simply head on to Settings → Update security → Windows Update → Check for updates, or you can install the updates manually.