Microsoft released patches for 50 vulnerabilities in Windows, Office, Outlook, Edge and Internet Explorer, 14 of which are rated critical. The company also released additional protections for the Meltdown and Spectre CPU vulnerabilities for older 32-bit versions of Windows 10, including Windows 10 for HoloLens.
The most urgent patch is for a critical flaw (CVE-2018-0825) in the Windows StructuredQuery component, which is used by the search system on both Windows servers and workstations. This vulnerability can be exploited by tricking users to open files sent via email or downloaded from websites and can result in arbitrary code executions with the permission of the active user.
What’s even more dangerous is that the flaw can also be exploited through the Preview Pane and is related to a similar vulnerability in Outlook (CVE-2018-0852) that was also fixed Tuesday.
“What’s truly frightening with this bug is that the Preview Pane is an attack vector, which means simply viewing an email in the Preview Pane could allow code execution,” Dustin Childs from the Zero Day Initiative, said in a blog post. “The end user targeted by such an attack doesn’t need to open or click on anything in the email—just view it in the Preview Pane. If this bug turns into active exploits—and with this attack vector, exploit writers will certainly try—unpatched systems will definitely suffer.”
According to researchers from vulnerability management firm Qualys, the other Outlook patches should also be prioritized by system administrators, as well as the patches for remote code execution (RCE) vulnerabilities in the Scripting Engine, which primarily impacts Microsoft’s browsers. These patches are particularly important for workstations, they said.
“The impact of RCE vulnerabilities is limited by whatever rights the current user has,” explained Greg Wiseman, senior security researcher, Rapid7. “However, they could potentially be chained with one of the 15 elevation of privilege vulnerabilities that were also patched this month.”
Microsoft has also distributed the Flash Player updates released by Adobe last week to address a critical zero-day vulnerability that’s being exploited in the wild. Users should make sure they have all the Flash Player browser plug-ins up to date.
Adobe Releases Patches for Acrobat, Reader and Experience Manager
On Tuesday, Adobe Systems has also released security updates for its Reader and Acrobat products and for Experience Manager, an enterprise content management system.
The Adobe Acrobat and Reader updates fix 17 critical vulnerabilities, 16 that can lead to arbitrary code execution and one that can result in privilege escalation. The patch also addresses 24 vulnerabilities that can lead to remote code execution and are rated as important. All of these flaws can be exploited through maliciously crafted PDF files, but attackers also have to bypass the sandboxing feature of Reader and Acrobat.
Users should upgrade Acrobat and Reader DC (Continuous Track) to version 2018.011.20035, Acrobat and Reader 2017 to version 2017.011.30078 and Acrobat and Reader DC (Classic Track) to version 2015.006.30413 on Windows and version 2015.006.30416 on Mac.
The Adobe Experience Manager (AEM) hotfixes address a cross-site scripting flaw rated as imported and a reflected cross-site scripting issue rated as moderate severity. Both flaws can lead to sensitive information disclosure. The patches are available for AEM 6.0, AEM 6.1, AEM 6.2 and AEM 6.3.