Patch Tuesday: More Work for Admins With 56 Flaws to Fix
Microsoft heaped more work on IT administrators this week with a Patch Tuesday update round that will bring the total CVEs addressed in January to 55, including four public disclosures and one zero-day vulnerability.
The zero-day (CVE-2018-0802) is an Office vulnerability which could allow a remote attacker to take control of an affected system.
“The attacker in this case, could create a specially crafted file or host specially crafted content on a compromised website or user contributed content on a website,” explained Ivanti director of product management, Chris Goettl. “A user opening these specially crafted files would allow the exploit to run giving the attacker equal rights to the system as the current user.”
The issue could also be mitigated by users running with fewer privileges, he said.
A previously unseen public disclosure (CVE-2018-0819) relates to the Mailsploit vulnerability in Outlook for Mac and could apparently allow an attacker to circumvent email anti-spoofing mechanisms like DMARC.
The remaining three public disclosures were published last week and relate to the Meltdown and Spectre chip issues.
The former is fixed with code changes to the kernel and the latter two flaws via firmware updates, so OS and firmware updates must be installed to fully mitigate these attack methods, according to Goettl.
However, admins have been warned to thoroughly test these updates as reports suggest there could be varying degrees of performance degradation, as well as possible BSOD due to compatibility issues with third-party AV tools.
Microsoft has also halted the deployment of patches for some AMD systems after some users reported their devices got into an “unbootable state.”
Qualys director of product management, Jimmy Graham, claimed that after Spectre and Meltdown patches, the focus for workstation environments should be on fixing Outlook vulnerability CVE-2018-0793 and Word flaw CVE-2018-0794.
Also this month, Adobe released a Priority 2 update for Flash Player (APSB18-01), which fixes out-of-bounds read bug CVE-2018-4871.
Apple released iOS 11.2.2 yesterday as well as a macOS High Sierra 10.13.2 update to help mitigate issues relating to the Spectre chip flaws.
Source: Information Security Magazine