Fourteen issues are listed as critical, 34 are rated as important, and only two of them are rated as moderate in severity.
The list of critical vulnerability includes an information disclosure issue in the Edge browser, a remote code execution vulnerability in the Windows’ StructuredQuery component, a memory corruption in Outlook, and several memory corruptions flaws that reside into the scripting engines used by both Edge and Internet Explorer.
One of the most severe vulnerabilities addressed by the Microsoft Patch Tuesday for February 2018 is a memory corruption flaw tracked as CVE-2018-0852 that affects Microsoft Outlook. The flaw could be exploited to achieve remote code execution on the targeted machines.
“A remote code execution vulnerability exists in Microsoft Outlook when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.” reads the security advisory published by Microsoft. “If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
In order to trigger the flaw, an attacker can trick the victim into opening a specifically crafted message attachment or viewing it in the Outlook Preview Pane … yes simply viewing an email in the Preview Pane could allow code execution.
“Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability.” continues the advisory.
Another vulnerability affecting Outlook and addressed with the Microsoft Patch Tuesday for February 2018 is a privileged escalation issue tracked as CVE-2018-0850. The vulnerability is rated as important and can be exploited by an attacker by sending a specially crafted email to an Outlook user. The exploitation doesn’t require user’s action, the flaw is triggered when the message is merely received.
“An attacker who successfully exploited the vulnerability could attempt to force Outlook to load a local or remote message store (over SMB).” states the advisory published by Microsoft.
“To exploit the vulnerability, the attacker could send a specially crafted email to a victim. Outlook would then attempt to open a pre-configured message store contained in the email upon receipt of the email.”
Another critical flaw fixed by Microsoft is an information disclosure vulnerability (CVE-2018-0763), that affects Microsoft Edge. The vulnerability ties to the way Microsoft Edge improperly handles objects in the memory.
An attacker can trigger the flaw to obtain sensitive information to compromise the target machine, but in this case, it needs the user’s interaction.
“An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.” state the advisory published by Microsoft.
“To exploit the vulnerability, in a web-based attack scenario, an attacker could host a website in an attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action.”
Let’s close with another issue fixed by Microsoft is the CVE-2018-0771 that affects Microsoft Edge, it was publicly known before by Microsoft.
“A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.” states Microsoft.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”
Users have to apply security patches as soon as possible.
(Security Affairs – Microsoft Patch Tuesday for February 2018, hacking)