This week saw the second Tuesday of the month, and everyone who is responsible for protecting Windows computers knows what that means: another bundle of security patches have been released by Microsoft.
This month’s “Patch Tuesday” included security updates for Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office, Adobe Flash Player, and other software, tackling over 50 security vulnerabilities.
The most serious security patches have been given Microsoft’s highest severity ranking of “critical”. That means that Microsoft’s security team believes that the flaws could be remotely exploited by malicious hackers, often to plant malware designed to hijack targeted computers without user interaction.
One of the most worrying security holes addressed by the patches is a memory corruption bug in Outlook (CVE-2018-0852) that could allow an attacker to remotely trick your computer into running malicious code.
The attack can be triggered by opening a boobytrapped attachment, visiting a poisoned webpage, or simply viewing a malicious message in Outlook’s preview pane.
Here is Microsoft describing how a hacker could exploit the flaw:
Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.
Although there is no evidence yet that malicious hackers are exploiting this Outlook flaw, the fact that a computer can be compromised via the preview pane makes it particularly threatening. Patching, therefore, should be a priority.
A series of other critical security holes have been found in Edge and Internet Explorer, which could allow remote code execution just by visiting a malicious webpage.
There’s no doubting Microsoft’s desire to fix as many vulnerabilities as it can with its monthly patch bundle, but there’s at least one recently-disclosed serious security hole in a Microsoft product that has not been addressed this time.
Last September, security researcher Stefan Kanthak told Microsoft about a flaw in how the Skype desktop app updates itself which could be exploited to allow an unprivileged user to escalate themselves to full “system” level rights, giving them God-like rights over the computer.
Microsoft confirmed to Kanthak that it was able to replicate the problem, but told him that it would not be fixed until a new version of the software was released, rather than via a security update, due to the “large code revision” required.
And there’s one other possible wrinkle in your security blanket.
Last month Microsoft warned that some security products were incompatible with its mitigation against the Meltdown CPU flaw, and as a result would not receive any further Microsoft patches until those products certified that they would not cause problems.
Fortunately most of the major anti-virus products are now compliant, and ESET customers – for instance – don’t have anything to worry about, as their security products are compatible with Microsoft’s patch for the Meltdown Intel Flaw).
Obviously it’s a good idea to update your computer systems at your earliest convenience. Backing up essential systems before applying the patches is advisable, just in case something goes wrong. And if it’s not convenient, maybe now is the time to make sure it *is* convenient in future.
Author Graham Cluley, We Live Security