This week marks another milestone for Microsoft’s Patch Tuesday, with the first fix for a vulnerability affecting the mixed-reality headset HoloLens.
If exploited, the flaw in how HoloLens handles objects in memory could allow an attacker to “take control of an affected system”, according to Microsoft’s security advisory.
The fix for the HoloLens remote code execution vulnerability, deemed to have a low chance of being exploited, was released as part of yesterday’s bundle of more than 50 security updates for Microsoft products.
“The device can be compromised by merely receiving WiFi packets, apparently without any form of authentication at all,” says an analysis of the HoloLens flaw by security group the Zero Day Initiative (ZDI). It affects Windows 10 and Windows Server 2016.
The HoloLens is a wearable headset that projects digital images into the wearer’s view and which is currently only available to select users as a pre-release product. Microsoft calls it a mixed reality headset because it can place digital objects in the real world in a believable manner, for example, putting a 3D model of a trophy on a real-world table.
While the HoloLens update resolves an issue in a piece of kit so new it’s unavailable to the general public, Microsoft recently made headlines for patching obsolete technology, when it issued an extraordinary update for Windows XP, which left mainstream support in 2014.
In total, more than 50 vulnerabilities were fixed by yesterday’s patch, including 19 flaws deemed to be critical. Of the critical flaws, six enabled remote code execution.
ZDI highlights one critical flaw that it expects to be seen being used in phishing campaigns. The vulnerability, deemed likely to be exploited, allows an attacker to remotely execute code after sharing a folder and a malicious executable file with user.
While four of the more than 50 vulnerabilities are publicly known, none are thought to be being actively exploited at present.
Read more on security
- How to deter hackers: Follow these digital safety best practices (TechRepublic)
- Blame shoddy security for UK parliament hack, says report (ZDNet)
- Video: Finding practical ways to communicate cybersecurity best practices (TechRepublic)
- Petya ransomware: Companies count the cost of massive cyber attack (ZDNet)
- Worried about attacks? Maybe you’re not getting hacked enough, report finds (TechRepublic)