Welcome back to the February 2018 Patch Tuesday. Microsoft has released patches for the Windows Kernel, StructuredQuery, and a host of the usual suspects. In all, there are fixes for 55 known vulnerabilities in this month’s update. Many of the vulnerabilities fixed have a ‘Critical’ security rating, including the Adobe Flash Security Update which fixes a vulnerability that was exploited in the wild. One vulnerability (CVE-2018-0771) was publicly disclosed prior to patching, but it is only rated at a moderate severity.
The Windows Kernel has received a handful of fixes. The vulnerabilities that these fixes patch allow for a successful exploit to elevate an attacker’s privileges on a system and disclose sensitive information that could further compromise an affected system. The vulnerabilities revolve around object memory mismanagement at the kernel level. Microsoft rates these vulnerabilities as “Important.”
The Scripting Engine has 11 Critical vulnerabilities and 1 Important vulnerability patched this month. The engine is responsible for some object memory management in Microsoft Edge. When that engine mismanages maliciously crafted content, the Edge browser could be leveraged to execute an attacker’s code remotely. None of these vulnerabilities were known to be exploited or disclosed before the patch was made available.
Office makes its regular Patch Tuesday appearance. This month Outlook contains a Critical remote code execution vulnerability. An attacker would exploit this vulnerability by convincing the user to open a maliciously crafted attachment in an affected version of Microsoft Outlook, and then after opening it the attacker’s code would be executed. Excel also has a remote code execution vulnerability, but it is only rated as Important. The code would have the same security context as Outlook or Excel, giving us a gentle reminder to exercise the principal of least privilege.
Edge and Internet Explorer
Microsoft’s browsers make the usual appearance, but this time with some interesting flare. One vulnerability for Edge was disclosed prior to patching that would allow for security features in the browser to be bypassed by attackers. To Microsoft’s knowledge, there have been no exploits of this vulnerability in the wild. Both Edge and Internet Explorer contain Information Disclosure vulnerabilities that would give an attacker access to potentially sensitive information on the system. One of these information disclosure vulnerabilities was rated as Critical by Microsoft, the rest are rated as Important.
Adobe Flash Player
Adobe has released a fix for a Remote Code Execution vulnerability that was being exploited in the wild. The attack is being used in limited, targeted attacks against Windows users. The attacks are known to leverage Office documents with embedded malicious Flash content that are distributed via email. Microsoft rates this vulnerability as Critical, and users should be advised to apply the patch as soon as possible.