Microsoft Fixes 50 Flaws in Windows, Outlook, Office and Browsers

Microsoft released patches for 50 vulnerabilities in Windows, Office, Outlook, Edge and Internet Explorer, 14 of which are rated critical. The company also released additional protections for the Meltdown and Spectre CPU vulnerabilities for older 32-bit versions of Windows 10, including Windows 10 for HoloLens.

The most urgent patch is for a critical flaw (CVE-2018-0825) in the Windows StructuredQuery component, which is used by the search system on both Windows servers and workstations. This vulnerability can be exploited by tricking users to open files sent via email or downloaded from websites and can result in arbitrary code executions with the permission of the active user.

What’s even more dangerous is that the flaw can also be exploited through the Preview Pane and is related to a similar vulnerability in Outlook (CVE-2018-0852) that was also fixed Tuesday.

“What’s truly frightening with this bug is that the Preview Pane is an attack vector, which means simply viewing an email in the Preview Pane could allow code execution,” Dustin Childs from the Zero Day Initiative, said in a blog post. “The end user targeted by such an attack doesn’t need to open or click on anything in the email—just view it in the Preview Pane. If this bug turns into active exploits—and with this attack vector, exploit writers will certainly try—unpatched systems will definitely suffer.”

According to researchers from vulnerability management firm Qualys, the other Outlook patches should also be prioritized by system administrators, as well as the patches for remote code execution (RCE) vulnerabilities in the Scripting Engine, which primarily impacts Microsoft’s browsers. These patches are particularly important for workstations, they said.

“The impact of RCE vulnerabilities is limited by whatever rights the current user has,” explained Greg Wiseman, senior security researcher, Rapid7. “However, they could potentially be chained with one of the 15 elevation of privilege vulnerabilities that were also patched this month.”

Microsoft has also distributed the Flash Player updates released by Adobe last week to address a critical zero-day vulnerability that’s being exploited in the wild. Users should make sure they have all the Flash Player browser plug-ins up to date.

Adobe Releases Patches for Acrobat, Reader and Experience Manager

On Tuesday, Adobe Systems has also released security updates for its Reader and Acrobat products and for Experience Manager, an enterprise content management system.

The Adobe Acrobat and Reader updates fix 17 critical vulnerabilities, 16 that can lead to arbitrary code execution and one that can result in privilege escalation. The patch also addresses 24 vulnerabilities that can lead to remote code execution and are rated as important. All of these flaws can be exploited through maliciously crafted PDF files, but attackers also have to bypass the sandboxing feature of Reader and Acrobat.

Users should upgrade Acrobat and Reader DC (Continuous Track) to version 2018.011.20035, Acrobat and Reader 2017 to version 2017.011.30078 and Acrobat and Reader DC (Classic Track) to version 2015.006.30413 on Windows and version 2015.006.30416 on Mac.

The Adobe Experience Manager (AEM) hotfixes address a cross-site scripting flaw rated as imported and a reflected cross-site scripting issue rated as moderate severity. Both flaws can lead to sensitive information disclosure. The patches are available for AEM 6.0, AEM 6.1, AEM 6.2 and AEM 6.3.

Sponsored Content
Upcoming Webinar
Security at the Speed of Software Development

Security at the Speed of Software Development

There are a lot of DevSecOps offerings that are just DevOps lipstick on a traditional security-as-a-gate pig. Also, security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy an order of magnitude or ... Read More
May 8, 2018

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 137 posts and counting.See all posts by lucian-constantin