Microsoft patches two nasty Outlook bugs in latest Patch Tuesday release

February 19, 2018

FEBRUARY’S PATCH TUESDAY is here, Microsoft are forwarding out fixes for over 50 vulnerabilities in Windows, Office, Internet Explorer, Edge and, of course, Adobe Flash Player. In total there are around 55 fixes, however Adobe are at the top for vulnerabilities in Flash, this is according to the SANS Internet Storm Center.

“According to Adobe and reports from the Korean Computer Emergency Response Team (KR-CERT), one of the vulnerabilities has already been exploited, so I am marking it differently here, and assign it a ‘Patch Now’ rating,” it wrote.

“Not much detail has been made public yet about this vulnerability, which is why I am leaving the ‘Disclosed’ rating at ‘No’,” it added.

This is despite the fact that Adobe Flash Player will be discontinued by 2020, it’s used broadly on many different browsers.

Microsoft’s top priority this month has been 2 specific flaws in Outlook – CVE-2018-0852, the company’s email client.

Microsoft is warning, the remote code execution vulnerability could potentially give a hacker full control of a specific system if the user is logged with admin user rights. What is happening is that Outlook is attempting to open the pre-configured message on receipt of an email, . You read that right – not viewing, not previewing, but upon receipt. This in turn means the flaw will be exploited by hackers in the Outlook preview pane, this makes it especially critical for individuals and organisations to update ASAP.

“What’s truly frightening with this bug is that the Preview Pane is an attack vector, which means simply viewing an email in the Preview Pane could allow code execution,” warned Trend Micro’s Zero-day Initiative in a blog posting.

“The end user targeted by such an attack doesn’t need to open or click on anything in the email – just view it in the Preview pane. If this bug turns into active exploits – and with this attack vector, exploit writers will certainly try – unpatched systems will definitely suffer.”

CVE-2018-0850 is possibly more powerful, it may be possible that a hacker could create an exploit in Outlook which needs no user intervention whatsoever, ZDI claimed.

Attributed to Pwn2Own bug-hunter Nicolas Joly, “this bug occurs when an attacker sends a maliciously crafted email to a victim. The email would need to be fashioned in a manner that forces Outlook to load a message store over SMB [messaging protocol].

“Outlook attempts to open the pre-configured message on receipt of the email. You read that right – not viewing, not previewing, but upon receipt. That means there’s a potential for an attacker to exploit this merely by sending an email.”

In the meantime CVE-2018-0825 is a more uninteresting remote-code execution vulnerability in the StructuredQuery component of multiple Windows operating systems, including Windows 10 and even Windows RT.

“An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system,” warned Microsoft.

Additionally there were out-of-band patches for Microsoft Offices’ Equator Editor, this was issued in January which users should have patched by now, but may not have done so.

SANS have also added an update in regards to the Spectre CPU security flaw which has been occupying Intel particularly for much of the newyear. “The ‘Spectre’ advisory (ADV180002) was originally released in January, but has undergone several updates since then.

“The latest version released today includes references to new updates released for Windows 10 (32-bit). It also states that there is no release schedule for older versions of Windows, but that they are working on releasing updates for pre-Windows 10 operating systems.”