Security

Windows 10 security: HoloLens gets first Patch Tuesday fix from Microsoft

The fix for the HoloLens remote code execution was released as part of Tuesday's bundle of more than 50 security patches.

This week marks another milestone for Microsoft's Patch Tuesday, with the first fix for a vulnerability affecting the mixed-reality headset HoloLens.

If exploited, the flaw in how HoloLens handles objects in memory could allow an attacker to "take control of an affected system", according to Microsoft's security advisory.

The fix for the HoloLens remote code execution vulnerability, deemed to have a low chance of being exploited, was released as part of yesterday's bundle of more than 50 security updates for Microsoft products.

"The device can be compromised by merely receiving WiFi packets, apparently without any form of authentication at all," says an analysis of the HoloLens flaw by security group the Zero Day Initiative (ZDI). It affects Windows 10 and Windows Server 2016.

SEE: Microsoft HoloLens: The smart person's guide

The HoloLens is a wearable headset that projects digital images into the wearer's view and which is currently only available to select users as a pre-release product. Microsoft calls it a mixed reality headset because it can place digital objects in the real world in a believable manner, for example, putting a 3D model of a trophy on a real-world table.

While the HoloLens update resolves an issue in a piece of kit so new it's unavailable to the general public, Microsoft recently made headlines for patching obsolete technology, when it issued an extraordinary update for Windows XP, which left mainstream support in 2014.

In total, more than 50 vulnerabilities were fixed by yesterday's patch, including 19 flaws deemed to be critical. Of the critical flaws, six enabled remote code execution.

ZDI highlights one critical flaw that it expects to be seen being used in phishing campaigns. The vulnerability, deemed likely to be exploited, allows an attacker to remotely execute code after sharing a folder and a malicious executable file with user.

While four of the more than 50 vulnerabilities are publicly known, none are thought to be being actively exploited at present.

Patches include fixes for Microsoft's web browsers, both for Edge — related to failure to properly parse HTTP content — and Internet Explorer, which was updated with the latest patch for Adobe Flash. There are also updates to resolve code execution bugs in Office and PowerShell. ZDI says that some of the browser-related flaws highlight the dangers of vulnerabilities in the engines used to execute JavaScript, the defacto scripting language of the web.

7-screenshot-from-2016-10-26-153221.png

A Microsoft demo of the HoloLens

Image: Microsoft

Read more on security

About Nick Heath

Nick Heath is chief reporter for TechRepublic. He writes about the technology that IT decision makers need to know about, and the latest happenings in the European tech scene.

Editor's Picks

Free Newsletters, In your Inbox