It’s 2018 and a Word doc can still pwn your Windows computer
Patch Tuesday In case you’ve been hiding under a rock for the entirety of this new year (and we don’t blame you if you have) there are a handful of major security flaws that have been dominating the news, and feature prominently in this month’s Patch Tuesday update load.
First, let’s look at the latest developments in the Meltdown/Spectre saga:
Nvidia, IBM deliver Spectre patches
Nvidia has got around to kicking out graphics driver updates that address the Spectre flaws present in its code – for example, here are some patches for Ubuntu. IBM is also due to release Spectre mitigations for its POWER server line today.
Microsoft AMD-bricking Spectre update yanked
Meanwhile, Microsoft has pulled down KB4056892, the Spectre bug fix that was found to be causing some AMD machines to crash on startup. The Redmond giant now says it is working with AMD to get a compatible patch out ASAP, but in the meantime Athlon machines will not be getting the Spectre update (AMD CPUs are not susceptible to Meltdown, an Intel-specific condition.)
And now back to your regularly scheduled patch headache
The January edition of Microsoft’s Patch Tuesday release is a formidable update in its own right, containing updates for 56 CVE-listed flaws including an actively targeted flaw in Office, and critical vulnerabilities in Edge and Internet Explorer.
Microsoft said that CVE-2018-0802, a remote code execution hole in Office, is already being targeted in the wild. The flaw is triggered when the target opens a malformed Word file in Office or WordPad.
As usual, a good chunk of the CVEs (15 in this case) were for vulnerabilities in the scripting engine used by Edge and Internet Explorer. These flaws, none of which have been targeted in the wild yet, would allow remote code execution by way of a specially-crafted website that triggered a memory corruption error.
One flaw catching the eye of security researchers is CVE-2018-0786, a certificate validation bypass.
“This patch addresses a vulnerability in .NET Framework (and .NET Core) that prevents these components from completely validating a certificate,” explained Dustin Childs from Trend Micro’s Zero Day Initiative.
“This is definitely the sort of bug malware authors seek, as it could allow their invalid certificates to appear valid.”
Another flaw in .NET, CVE-2018-0785, leaves users vulnerable to account hijacking by way of a cross-site forgery attack.
“An attacker who successfully exploited this vulnerability could change the recovery codes associated with the victim’s user account without his/her consent,” said Microsoft.
“As a result, a victim of this attack may be permanently locked out of his/her account after losing access to his/her 2FA device, as the initial recovery codes would be no longer valid.”
In addition to the already-mentioned CVE-2018-0802, Word was the subject of nine other remote code execution and memory disclosure vulnerabilities. Updating Office to close up those holes should be among the top priorities for administrators.
Office for Mac should also be updated, as a spoofing vulnerability (CVE-2018-0819) has been publicly disclosed. Because Outlook for Mac does not properly display or handle email addresses, phishing emails could skip past antivirus and spam filters to appear as genuine.
Grab your Android updates – where available
While we’re on the subject of security bugs, don’t forget to patch your Android devices with this month’s code remedies, if you can. Not every device gets every Android update straight away, if at all.
Last week, amid all the Meltdown and Spectre fanfare, Google published its January batch of updates, which included mitigations against Spectre oversights in Arm processors as well as updates to address 38 other CVE-listed vulnerabilities. These exploitable holes include three remote code execution flaws in the Android media framework, and one in the system software.
Just one Flash fix from Adobe
Meanwhile, the lone update from Adobe this month is for an out of bounds read flaw (CVE-2018-4871) that could allow for information disclosure. No active exploits have been reported. Trend Micro Zero Day Initiative was credited with the discovery. ®