Microsoft’s Patch Tuesday updates for February 2018 address 50 vulnerabilities in Windows, Office and the company’s web browsers, but this time the list does not appear to include any zero-day flaws.
Fourteen of the security holes have been rated critical, including an information disclosure flaw in Edge, a memory corruption in Outlook, a remote code execution vulnerability in Windows’ StructuredQuery component, and several memory corruptions in the scripting engines used by Edge and Internet Explorer.
One vulnerability, CVE-2018-0771, was publicly disclosed before Microsoft released patches. The issue is a Same-Origin Policy (SOP) bypass that exists due to the way Edge handles requests of different origins.
“An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted,” Microsoft said. The company believes it’s unlikely that this flaw, which it has rated “important,” will be exploited in attacks.
Two of the most interesting issues patched this month are Outlook vulnerabilities discovered by Microsoft’s own Nicolas Joly. One of the flaws, CVE-2018-0852, can be exploited to execute arbitrary code in the context of a user’s session by getting the target to open a specially crafted file with an affected version of Outlook.
“What’s truly frightening with this bug is that the Preview Pane is an attack vector, which means simply viewing an email in the Preview Pane could allow code execution,” explained Dustin Childs of the Zero Day Initiative (ZDI). “The end user targeted by such an attack doesn’t need to open or click on anything in the email – just view it in the Preview Pane. If this bug turns into active exploits – and with this attack vector, exploit writers will certainly try – unpatched systems will definitely suffer.”
The second Outlook vulnerability found by Joly is a privilege escalation issue (CVE-2018-0850) that can be leveraged to force Outlook to load a local or remote message store. The flaw can be exploited by sending a specially crafted email to an Outlook user.
“The email would need to be fashioned in a manner that forces Outlook to load a message store over SMB. Outlook attempts to open the pre-configured message on receipt of the email. You read that right – not viewing, not previewing, but upon receipt. That means there’s a potential for an attacker to exploit this merely by sending an email,” Childs said, pointing out that such a vulnerability would have earned Joly a prize in ZDI’s Pwn2Own competition.
Microsoft’s Patch Tuesday updates fix a total of 34 important and two moderate severity vulnerabilities.
Earlier this month, Microsoft updated the Adobe Flash Player components used by its products to address two vulnerabilities, including a zero-day believed to have been exploited by North Korean threat actors. Adobe on Tuesday released updates for its Acrobat, Reader and Experience Manager products to address 41 security bugs.
Related: Microsoft Patches Zero-Day Vulnerability in Office
Related: Microsoft Patches for CPU Flaws Break Windows, Apps
