Security Experts:

Microsoft Patches Flaws in Windows, Office, Edge

Microsoft has addressed vulnerabilities affecting Windows, Office and the Edge web browser, but the company’s January 2017 Patch Tuesday updates include only four security bulletins.

The company has released two critical bulletins, including one that resolves a memory corruption in Office (CVE-2017-0003). The flaw, caused due to the way the software handles objects in memory, can be exploited to execute arbitrary code in the context of the current user.

The security hole can be exploited by getting the targeted user to open a specially crafted file or visit a website hosting a malicious file. The issue was reported to Microsoft by Tony Loi of Fortinet’s FortiGuard Labs.

One of the important bulletins patches a privilege escalation vulnerability in Edge (CVE-2017-0002). The flaw was publicly disclosed before the patch became available.

“An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies with about:blank, which could allow an attacker to access information from one domain and inject it into another domain. An attacker who successfully exploited this vulnerability could elevate privileges in affected versions of Microsoft Edge,” Microsoft said in its advisory.

Another important bulletin patches a denial-of-service (DoS) vulnerability caused due to the way the Local Security Authority Subsystem Service (LSASS) in Windows handles authentication requests. The weakness is tracked as CVE-2017-0004.

This vulnerability was identified by researcher Laurent Gaffie, and Microsoft released a fix for it in November. However, an analysis of Gaffie’s PoC code by Nicolás Economou of Core Security helped Microsoft determine that the November update actually patched a different issue. Ultimately, Gaffie’s PoC led to the discovery of two DoS vulnerabilities in LSASS: CVE-2016-7237 and CVE-2017-0004.

The last bulletin released by Microsoft on Tuesday addresses vulnerabilities in Adobe Flash Player as used in various versions of Windows. Adobe has released security updates that fix 29 flaws in Reader and Acrobat, and 13 in Flash Player.

Microsoft has also published an advisory to warn users about a privilege escalation vulnerability affecting .NET Core or .NET Framework projects that use Identity Model Extensions version 5.1.0. The company has advised developers to update their installations to version 5.1.1 or greater.

“Microsoft is aware of a security vulnerability in the public version of Microsoft.IdentityModel.Tokens 5.1.0 where tokens signed with symmetric keys could be vulnerable to tampering. If a token signed with a symmetric key is used to verify the identity of a user, and the app makes decisions based on the verified identity of that user, then the app could make incorrect decisions that result in elevation of privilege,” the company said.

*Updated to clarify that CVE-2017-004 and CVE-2016-7237 are different LSASS vulnerabilities discovered using the same PoC

Related: Microsoft Patches Several Publicly Disclosed Flaws

Related: Microsoft Issues Emergency Patch for Critical IE Flaw Exploited in the Wild

Related: Microsoft Patches 4 Vulnerabilities Exploited in the Wild

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.