This week saw the second Tuesday of the month, and
everyone who is responsible for protecting Windows computers knows what that
means: another bundle of security patches have been released by Microsoft.
This month’s “Patch Tuesday” included security
updates for Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft
Office, Adobe Flash Player, and other software, tackling over 50 security
vulnerabilities.
The most serious security patches have been given
Microsoft’s highest severity ranking of “critical”. That means that Microsoft’s
security team believes that the flaws could be remotely exploited by malicious
hackers, often to plant malware designed to hijack targeted computers without
user interaction.
One of the most worrying security holes addressed
by the patches is a memory corruption bug in Outlook (CVE-2018-0852)
that could allow an attacker to remotely trick your computer into running
malicious code.
The attack can be triggered by opening a
boobytrapped attachment, visiting a poisoned webpage, or simply viewing a
malicious message in Outlook’s preview pane.
Here is Microsoft describing how a hacker could
exploit the flaw:
Exploitation of the vulnerability requires that a
user open a specially crafted file with an affected version of Microsoft
Outlook software. In an email attack scenario, an attacker could exploit the
vulnerability by sending the specially crafted file to the user and convincing
the user to open the file. In a web-based attack scenario, an attacker could
host a website (or leverage a compromised website that accepts or hosts
user-provided content) that contains a specially crafted file designed to
exploit the vulnerability. An attacker would have no way to force users to visit
the website. Instead, an attacker would have to convince users to click a link,
typically by way of an enticement in an email or instant message, and then
convince them to open the specially crafted file.
Although there is no evidence yet that malicious
hackers are exploiting this Outlook flaw, the fact that a computer can be
compromised via the preview pane makes it particularly threatening. Patching,
therefore, should be a priority.
A series of other critical security holes have been
found in Edge and Internet Explorer, which could allow remote code execution
just by visiting a malicious webpage.
There’s no doubting Microsoft’s desire to fix as
many vulnerabilities as it can with its monthly patch bundle, but there’s at
least one recently-disclosed serious security hole in a Microsoft product that
has not been addressed this time.
Last September, security researcher Stefan Kanthak
told Microsoft about a flaw in how the Skype desktop app updates itself which
could be exploited to allow an unprivileged user to escalate themselves to full
“system” level rights, giving them God-like rights over the computer.
Microsoft confirmed to Kanthak that it was able to
replicate the problem, but told him that it would not be fixed until a new version of the
software was released, rather than via a security update, due to the “large
code revision” required.
And there’s one other possible wrinkle in your
security blanket.
Last month Microsoft warned that some security
products were incompatible with its mitigation against the Meltdown CPU flaw, and as a result would not receive any further
Microsoft patches until those products certified that they would not
cause problems.
Fortunately most of the major anti-virus products
are now compliant, and ESET customers – for instance – don’t have anything to
worry about, as their security products are compatible with Microsoft’s patch for the Meltdown
Intel Flaw).
Obviously it’s a good idea to update your computer
systems at your earliest convenience. Backing up essential systems before
applying the patches is advisable, just in case something goes wrong. And if
it’s not convenient, maybe now is the time to make sure it *is* convenient
in future.