Microsoft January Patch Fixes 56 Security Issues, Including a 0-Day [source: bleepingcomputer]

11 Jan 2018

No Comments

1350

Earlier today, Microsoft published the January 2018 Patch Tuesday security updates, containing fixes for 56 vulnerabilities and three special security advisories with fixes for Adobe Flash, the Meltdown & Spectre flaws, and a defense-in-depth update for Office applications.

This month, things were a little messy. On January 3, Microsoft released an emergency out-of-band security update with fixes for the now infamous Meltdown and Spectre vulnerabilities. That emergency update was supposed to be part of today’s Patch Tuesday, so you’ll see it in the table below as well.

Besides fixes for the Meltdown and Spectre flaws, the January 3 out-of-band update also contained additional fixes for other security bugs. Those are also included in the table below.

Microsoft patches 0-day in Office Equation Editor component

But while the Meltdown and Spectre bugs seized everyone’s attention this past week, today’s Patch Tuesday updates deliver important fixes on their own.

The most important of these is a zero-day vulnerability in the Microsoft Office and Microsoft WordPad applications. Microsoft describes the flaw (CVE-2018-0802) as a memory corruption issue that allows attackers to execute code on a victim’s PC. The flaw appears to reside in an old version of the Office Equation Editor component.

Microsoft acknowledged several researchers with discovering the flaw —Qihoo 360, Tencent, 0patch Team, and Check Point— and said

The OS maker addressed the zero-day by removing some of the Equation Editor’s functionality.

A security firm pointed out that the Equation Editor was an antiquated and vulnerable component in November 2017. Cybercrime groups quickly moved to exploit the flaw. Now it appears that other groups found new methods to exploit the same component, after previous research pointed out it may be a weak spot in the Office suite.

Microsoft similarly got rid of another feature called Dynamic Data Exchange (DDE) after malware groups began abusing it again, after it previously been abused in the 90s. Microsoft removed DDE only from Word, but not all the entire Office suite.

For more, click here.