Update now: Microsoft flags serious Outlook flaws in ‘Patch Tuesday’ release
Microsoft Corp. has issued 50 security fixes covering vulnerabilities in Windows, Internet Explorer, Flash for IE, Edge, Office, SharePoint and ChakraCore as part of its monthly “Patch Tuesday” release today, with two critical Outlook flaws leading the pack.
The Outlook vulnerabilities (CVE-2018-0852) patched in the release allowed an attacker to execute malicious code remotely. Worse, should a targeted machine be operated in administrative mode, an attacker could use the vulnerabilities to gain control of the entire system.
Other patches include a fix for CVE-2018-0771, a security feature bypass vulnerability in the Edge web browser that could allow an attacker to host a specially crafted website designed to exploit the vulnerability.
Discussing the release, Chris Goettl, director of product management for security at Ivanti Inc. told SiliconANGLE that other standouts include CVE-2018-0825, a vulnerability in StructuredQuery that could allow Remote Code Execution.
“This is a user-targeted attack scenario that could allow the attacker to craft a file that could be used in an email or web-based attack,” Goettl explained. “This vulnerability is in the OS, though, so all systems are potentially vulnerable. The vulnerability can also be exploited through the Preview Pane, which makes this one a bit more threatening than some of the similar Office-based vulnerabilities this month.”
Goettl said that Microsoft has resolved six office vulnerabilities this month, including several that could allow remote code execution.
“These vulnerabilities could be exploited through a hosted website, via an attachment in email, etc.,” he said. “The attacker would gain equal rights as the current user, so if the user is a full administrator, the attacker would gain full control of the system. This is a good example of why privilege management is so important. It is hard to take admin rights back from a user once granted, but there are other methods to take away specific capabilities to take some of the risk out of that full administrator user as well.”
Also bundled with the release was a range of patches for Adobe Flash, which Jimmy Graham, director of product management at Qualys Inc. said need to be a priority installation.
“Adobe has released several patches, including some from last week covering Flash, Reader, Acrobat, and Adobe Experience Manager,” Graham said. “The Reader and Acrobat patches cover a whopping 41 vulnerabilities, while the Flash and Experience Manager patches each cover two. There are active exploits against the Flash vulnerabilities and should be patched immediately, followed quickly by the Reader and Acrobat patches.”
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.