1 week ago

Microsoft Issues Security Patch Update for 14 brand new Critical Vulnerabilities


Microsoft’s Patch Tuesday due to This kind of month falls the day before the most romantic day of the year.

Yes, the idea’s Valentine’s, as well as also the tech giant has released its monthly security update for February 2018, addressing a total of 50 CVE-listed vulnerabilities in its Windows operating system, Microsoft Office, web browsers as well as also additional products.

Fourteen of the security updates are listed as critical, 34 are rated as important, as well as also 2 of them are rated as moderate in severity.

The critical update patches serious security flaws in Edge browser as well as also Outlook client, an RCE in Windows’ StructuredQuery component, as well as also several memory corruption bugs inside the scripting engines used by Edge as well as also Internet Explorer.

Critical Microsoft Outlook Vulnerability

One of the most severe bugs includes a memory corruption vulnerability (CVE-2018-0852) in Microsoft Outlook, which can be exploited to achieve remote code execution on the targeted machines.

In order to trigger the vulnerability, an attacker needs to trick a victim into opening a maliciously crafted message attachment or viewing the idea inside the Outlook Preview Pane. This kind of could allow the arbitrary code inside the malicious attachment to execute inside the context of the victim’s session.

If the victim is usually logged on with administrative user rights, the attacker could take control of the affected system, eventually allowing them to install programs, create brand new accounts with full user rights, or view, change or delete data.

“What’s truly frightening with This kind of bug is usually of which the Preview Pane is usually an attack vector, which means simply viewing an email inside the Preview Pane could allow code execution,” explained the Zero Day Initiative (ZDI).

“The end user targeted by such an attack doesn’t need to open or click on anything inside the email – just view the idea inside the Preview Pane. If This kind of bug turns into active exploits – as well as also with This kind of attack vector, exploit writers will certainly try – unpatched systems will definitely suffer.”

The second Outlook vulnerability (CVE-2018-0850), rated as important, is usually a privilege escalation flaw of which can be leveraged to force the affected edition of Outlook to load a message store over SMB by a local or remote server.

Attackers can exploit the vulnerability by sending a specially crafted email to an Outlook user, as well as also since the bug can be exploited when the message is usually merely received (before the idea is usually even opened), the attack could take place without any user interaction.

“Outlook could then attempt to open a pre-configured message store contained inside the email upon receipt of the email,” Microsoft explains in its advisory. “This kind of update addresses the vulnerability by ensuring Office fully validates incoming email formatting before processing message content.”

Both the Outlook vulnerabilities have been discovered as well as also reported to the tech giant by Microsoft’s researcher Nicolas Joly as well as also former Pwn2Own winner.

Critical Microsoft Edge Vulnerability

Another critical flaw, which is usually an information disclosure vulnerability (CVE-2018-0763), resides in Microsoft Edge of which exists due to Microsoft Edge’s improperly handling of objects inside the memory.

An attacker can exploit This kind of vulnerability to successfully obtain sensitive information to compromise the victim’s machine further.

“To exploit the vulnerability, in a web-based attack scenario, an attacker could host a website in an attempt to exploit the vulnerability. In addition, compromised websites as well as also websites of which accept or host user-provided content could contain specially crafted content of which could exploit the vulnerability,” Microsoft explains.

“However, in all cases an attacker could have no way to force a user to view the attacker-controlled content. Instead, an attacker could have to convince a user to take action. For example, an attacker could trick a user into clicking a link of which takes the user to the attacker’s site.”

additional critical issues include several Scripting Engine Memory Corruption vulnerabilities in Microsoft Edge of which could be exploited to achieve remote code execution inside the context of the current user.

Microsoft Edge flaw (CVE-2018-0839), rated as important, is usually an information disclosure vulnerability of which exists due to Microsoft Edge improper handling of objects inside the memory.

Successful exploitation of the bug could allow attackers to obtain sensitive information to compromise the user’s system further.

Internet Explorer also got a patch to address an information disclosure vulnerability (CVE-2018-0847), rated important, of which could let a webpage use VBScript to fetch stored information by memory.

Publicly Disclosed Vulnerability Before Being Patched

Although the list of patched vulnerabilities does not include any zero-day flaws, one of the security flaws (CVE-2018-0771) in Microsoft Edge was publicly known before the company released patches, although was not listed as being under active attack.

Listed as Moderate, the issue is usually a Same-Origin Policy (SOP) bypass vulnerability which occurs due to Microsoft Edge’s improper handling of requests of different origins.

The vulnerability could allow an attacker to craft a webpage to bypass the SOP restrictions as well as also get the browser to send data by additional sites–requests of which should otherwise be ignored due to the SOP restrictions on place.

Meanwhile, Adobe on Tuesday also released security updates for its Acrobat, Reader as well as also Experience Manager products to address a total of 41 security vulnerabilities, out of which 17 are rated as critical as well as also 24 important in severity.

Users are strongly advised to apply security patches as soon as possible to keep hackers as well as also cybercriminals away by taking control of their computers.

For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

Article Categories:
Security Hacks

Leave a Comment

Your email address will not be published. Required fields are marked *

twenty − 5 =