Thanks to Meltdown and Spectre, January has already been an extremely busy month of patching for Microsoft. Today Microsoft tackled dozens more bugs, part of its regular Patch Tuesday release covering Microsoft Edge, Windows, Office, ASP.NET and the macOS version of Office.
Sixteen of Microsoft’s updates tackled critical vulnerabilities, 38 are rated important and one low. A total of 20, could potentially lead to remote code execution.
“Microsoft started Patch Tuesday a little early this month by releasing the operating system updates last week,” said Chris Goettl, product manager at Ivanti, in his commentary on Patch Tuesday.
He said, last week Microsoft released out-of-band updates resolving three unique CVEs for Meltdown and Spectre, both speculative execution side-channel attacks.
“These additions brings Microsoft’s January patch updates to a total of about 55 vulnerabilities (CVEs). This includes four CVEs that have been publicly disclosed and one CVE detected in exploits in the wild,” Goettl said.
Jimmy Graham, director of product management at Qualys, points out that this month is unique in that Microsoft has halted the deployment of patches for some AMD systems and other updates are incompatible with third-party antivirus software.
“Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key,” Microsoft said in a Jan. 3 security bulletin.
Graham also cautions that OS-level and BIOS (microcode) patches that are designed to mitigate Meltdown and Spectre may lead to CPU performance issues.
Listed as under active attack is (CVE-2018-0802) a Microsoft Office memory corruption vulnerability that allows remote code execution in Office when the software fails to properly handle objects in memory, according Microsoft. Targets convinced to open a specially crafted Office document could allow an adversary to take control of the affected system.
Microsoft also patched a vulnerability (CVE-2018-0786) in .NET Framework (and .NET Core) that prevents the components from completely validating a certificate. “An attacker could present a certificate that is marked invalid for a specific use, but the component uses it for that purpose. This action disregards the Enhanced Key Usage taggings,” describes Microsoft.
“This is definitely the sort of bug malware authors seek, as it could allow their invalid certificates to appear valid,” according Zero Day Initiative’s Patch Tuesday analysis.
One of the CVEs (CVE-2018-0819) tackled by Microsoft this month is a spoofing vulnerability in Microsoft Office for MAC, listed as publicly known at the time of release. The flaw does not allow some versions Microsoft Office or Mac to handle the encoding and display of email addresses properly. “This improper handling and display may cause antivirus or antispam scanning to not work as intended,” Microsoft describes.
On Monday, Apple released iOS 11.2.2 software for iPhones, iPads and iPod touch models that patch for the Spectre vulnerabilities. A macOS High Sierra 10.13.2 supplemental update was also released to bolster Spectre defenses in Apple’s Safari browser and WebKit, the web browser engine used by Safari, Mail, and App Store.