Building a slide deck, pitch, or presentation? Here are the big takeaways:
- Microsoft's latest Windows security patches close 50 different flaws, including two serious Outlook ones, neither of which requires user interaction to execute.
- Microsoft says these two flaws haven't been used in any attacks, but rest assured: Now that they're public they will be. Patch your systems now to prevent a security issue.—TechRepublic
Microsoft has released its February Patch Tuesday update, and among the Windows fixes are 50 Windows security patches.
The issues addressed are numerous and include patches for an Adobe Flash zero day (issued earlier this month but bundled with this update), updates to Windows Analytics designed to help navigate the Spectre/Meltdown patching minefield, and a fix for two serious Microsoft Outlook flaws.
The Outlook issues in question, CVE-2018-0852 and CVE-2018-0850, are both able to execute their exploits without any user interaction. In the case of 0852, all it requires is that the message appears in the preview pane, and 0850 functions by simply being received by Outlook—no viewing or previewing of any kind is required.
Serious Outlook exploits
The danger of these two Microsoft Outlook exploits largely comes from the fact that user interaction isn't required to compromise the target machine.
0852, which Microsoft calls an Outlook Memory Corruption Vulnerability, lets an attacker execute code as the current user. "If the current user is logged on with administrative user rights, an attacker could take control of the affected system ... install programs; view, change, or delete data; or create new accounts with full user rights."
SEE: Securing Windows policy (Tech Pro Research)
This flaw, like many other email exploits, involves sending an infected file to a user, which then has to be opened. As the Zero Day Initiative points out, this exploit only requires the email to be previewed in the preview pane, so whatever file is being transmitted is opened without the user actually clicking on the message to see it in full.
This particular bug is only a risk for users with administrative access—typical user accounts won't allow 0852 to function.
Microsoft is much less verbose about 0850, only saying that it is an elevation of privilege vulnerability. "An attacker who successfully exploited the vulnerability could attempt to force Outlook to load a local or remote message store (over SMB)," the CVE page reads.
Don't delay these patches
There's no more succinct way to put it than what the Zero Day Initiative said about these two outlook bugs: Both fall into the "Patch Now!" category.
Microsoft's CVE pages for both exploits indicate that they have yet to appear in the wild, and the patch notes released on February 13 are the first public announcement of the exploits.
That said, the worst Windows security incidents in the last year leveraged well-known Windows flaws that had already been patched, yet were able to spread because systems weren't updated.
Now that these two vulnerabilities are known it's only a matter of time before hackers attempt to exploit them in the wild, so here's your warning: Apply Microsoft's February security patches to close these, and 48 other, security flaws. Failure to do so opens you up to attacks that can be easily avoided.
- 17 tips for protecting Windows computers and Macs from ransomware (free PDF) (TechRepublic)
- Windows Meltdown-Spectre fix: How to check if your AV is blocking Microsoft patch (ZDNet)
- 7 Windows 10 security features that could help prevent cyberattacks against your business (TechRepublic)
- Windows security: Microsoft issues Adobe patch to tackle Flash zero-day (ZDNet)
- How to take advantage of the new Windows Defender Security Center (TechRepublic)
Brandon Vigliarolo has nothing to disclose. He does not hold investments in the technology companies he covers.
Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.