Microsoft Fixes 50 Flaws in Windows, Outlook, Office and Browsers

Microsoft released patches for 50 vulnerabilities in Windows, Office, Outlook, Edge and Internet Explorer, 14 of which are rated critical. The company also released additional protections for the Meltdown and Spectre CPU vulnerabilities for older 32-bit versions of Windows 10, including Windows 10 for HoloLens.

The most urgent patch is for a critical flaw (CVE-2018-0825) in the Windows StructuredQuery component, which is used by the search system on both Windows servers and workstations. This vulnerability can be exploited by tricking users to open files sent via email or downloaded from websites and can result in arbitrary code executions with the permission of the active user.

What’s even more dangerous is that the flaw can also be exploited through the Preview Pane and is related to a similar vulnerability in Outlook (CVE-2018-0852) that was also fixed Tuesday.

“What’s truly frightening with this bug is that the Preview Pane is an attack vector, which means simply viewing an email in the Preview Pane could allow code execution,” Dustin Childs from the Zero Day Initiative, said in a blog post. “The end user targeted by such an attack doesn’t need to open or click on anything in the email—just view it in the Preview Pane. If this bug turns into active exploits—and with this attack vector, exploit writers will certainly try—unpatched systems will definitely suffer.”

According to researchers from vulnerability management firm Qualys, the other Outlook patches should also be prioritized by system administrators, as well as the patches for remote code execution (RCE) vulnerabilities in the Scripting Engine, which primarily impacts Microsoft’s browsers. These patches are particularly important for workstations, they said.

“The impact of RCE vulnerabilities is limited by whatever rights the current user has,” explained Greg Wiseman, senior security researcher, Rapid7. “However, they could potentially be chained with one of the 15 elevation of privilege vulnerabilities that were also patched this month.”

Microsoft has also distributed the Flash Player updates released by Adobe last week to address a critical zero-day vulnerability that’s being exploited in the wild. Users should make sure they have all the Flash Player browser plug-ins up to date.

Adobe Releases Patches for Acrobat, Reader and Experience Manager

On Tuesday, Adobe Systems has also released security updates for its Reader and Acrobat products and for Experience Manager, an enterprise content management system.

The Adobe Acrobat and Reader updates fix 17 critical vulnerabilities, 16 that can lead to arbitrary code execution and one that can result in privilege escalation. The patch also addresses 24 vulnerabilities that can lead to remote code execution and are rated as important. All of these flaws can be exploited through maliciously crafted PDF files, but attackers also have to bypass the sandboxing feature of Reader and Acrobat.

Users should upgrade Acrobat and Reader DC (Continuous Track) to version 2018.011.20035, Acrobat and Reader 2017 to version 2017.011.30078 and Acrobat and Reader DC (Classic Track) to version 2015.006.30413 on Windows and version 2015.006.30416 on Mac.

The Adobe Experience Manager (AEM) hotfixes address a cross-site scripting flaw rated as imported and a reflected cross-site scripting issue rated as moderate severity. Both flaws can lead to sensitive information disclosure. The patches are available for AEM 6.0, AEM 6.1, AEM 6.2 and AEM 6.3.

Featured eBook
The Second Wave of IT Security: How Today’s Leaders See the Future

The Second Wave of IT Security: How Today’s Leaders See the Future

As network security issues grew in the 1970s, and the 1980s brought the widespread use of the internet, the IT security profession expanded to address the malicious threats and innocent user mistakes of highly connected users and machines. Today, the security industry is experiencing what could be called a renaissance of sorts. Security professionals are ... Read More
Security Boulevard

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin