Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Patches Flaws in Windows, Office, Edge

Microsoft has addressed vulnerabilities affecting Windows, Office and the Edge web browser, but the company’s January 2017 Patch Tuesday updates include only four security bulletins.

Microsoft has addressed vulnerabilities affecting Windows, Office and the Edge web browser, but the company’s January 2017 Patch Tuesday updates include only four security bulletins.

The company has released two critical bulletins, including one that resolves a memory corruption in Office (CVE-2017-0003). The flaw, caused due to the way the software handles objects in memory, can be exploited to execute arbitrary code in the context of the current user.

The security hole can be exploited by getting the targeted user to open a specially crafted file or visit a website hosting a malicious file. The issue was reported to Microsoft by Tony Loi of Fortinet’s FortiGuard Labs.

One of the important bulletins patches a privilege escalation vulnerability in Edge (CVE-2017-0002). The flaw was publicly disclosed before the patch became available.

“An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies with about:blank, which could allow an attacker to access information from one domain and inject it into another domain. An attacker who successfully exploited this vulnerability could elevate privileges in affected versions of Microsoft Edge,” Microsoft said in its advisory.

Another important bulletin patches a denial-of-service (DoS) vulnerability caused due to the way the Local Security Authority Subsystem Service (LSASS) in Windows handles authentication requests. The weakness is tracked as CVE-2017-0004.

This vulnerability was identified by researcher Laurent Gaffie, and Microsoft released a fix for it in November. However, an analysis of Gaffie’s PoC code by Nicolás Economou of Core Security helped Microsoft determine that the November update actually patched a different issue. Ultimately, Gaffie’s PoC led to the discovery of two DoS vulnerabilities in LSASS: CVE-2016-7237 and CVE-2017-0004.

The last bulletin released by Microsoft on Tuesday addresses vulnerabilities in Adobe Flash Player as used in various versions of Windows. Adobe has released security updates that fix 29 flaws in Reader and Acrobat, and 13 in Flash Player.

Microsoft has also published an advisory to warn users about a privilege escalation vulnerability affecting .NET Core or .NET Framework projects that use Identity Model Extensions version 5.1.0. The company has advised developers to update their installations to version 5.1.1 or greater.

“Microsoft is aware of a security vulnerability in the public version of Microsoft.IdentityModel.Tokens 5.1.0 where tokens signed with symmetric keys could be vulnerable to tampering. If a token signed with a symmetric key is used to verify the identity of a user, and the app makes decisions based on the verified identity of that user, then the app could make incorrect decisions that result in elevation of privilege,” the company said.

*Updated to clarify that CVE-2017-004 and CVE-2016-7237 are different LSASS vulnerabilities discovered using the same PoC

Related: Microsoft Patches Several Publicly Disclosed Flaws

Related: Microsoft Issues Emergency Patch for Critical IE Flaw Exploited in the Wild

Related: Microsoft Patches 4 Vulnerabilities Exploited in the Wild

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.