Two Nasty Outlook Bugs Fixed in Microsoft’s Feb. Patch Tuesday Update

One of the bugs could allow a successful attack simply by a user viewing an email in Outlook’s Preview pane.

Microsoft issued 50 security fixes as part of its February Patch Tuesday release, covering vulnerabilities in Windows, Office, Internet Explorer, Edge and its JavaScript engine ChakraCore. Fourteen of the vulnerabilities are labeled as critical, 34 as important and two as moderate.

Two notable vulnerabilities target Outlook. CVE-2018-0852, rated critical, is a remote code execution vulnerability that could give an attacker control of a targeted system if they are logged into their Windows PC with administrator user rights, Microsoft said.

“Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook software,” wrote Microsoft in its security bulletin. A successful attack allows an adversary to run arbitrary code in the context of the current user.

“What’s truly frightening with this bug is that the (Outlook) Preview Pane is an attack vector, which means simply viewing an email in the Preview Pane could allow code execution,” ZDI researchers said in a blog post. “The end user targeted by such an attack doesn’t need to open or click on anything in the email – just view it in the Preview Pane. If this bug turns into active exploits – and with this attack vector, exploit writers will certainly try – unpatched systems will definitely suffer.”

ZDI is also urging users to immediately patch the second Outlook vulnerability, CVE-2018-0825. This bug is exploited via a maliciously crafted email that forces Outlook to load a pre-configured message once it is received. “You read that right – not viewing, not previewing, but upon receipt,” ZDI notes. “That means there’s a potential for an attacker to exploit this merely by sending an email.”

Other critical vulnerabilities patched this month include, CVE-2018-0771, which affects StructuredQuery in Windows servers and workstations. An attack would use a specially crafted file delivered via email or through a malicious website.

According to Microsoft, attackers could take over systems if the victim is logged with administrative credentials, giving them the ability to install programs, manipulate data and create new user accounts. “This patch should be at the top of the priority list,” said Jimmy Graham, director of product management at Qualys, in a blog post.

Microsoft’s Patch Tuesday update also delivers patches for more than 10 kernel vulnerabilities associated with local escalation of privilege and information disclosure bugs.

A number of them have been given exploitability index of 1, which means they are “more likely” to be exploited, according to Microsoft’s ranking system.

“While these vulnerabilities cannot be exploited remotely, they could be used by a threat actor to gain elevated privileges on a system they have compromised through some other means,” said Chris Goettl, director of product management at Ivanti, in a commentary provided to Threatpost.”These would often be used in an APT (advanced persistent threat) situation where the attacker is slowly working their way through an environment and need to gain additional permissions to gain access to move further toward their goal.”

Six additional patches focus on vulnerabilities in Office. CVE-2018-0841 is a vulnerability in Excel that allows remote code execution by taking advantage of how Excel handles object in memory, according to Microsoft’s description. As with other vulnerabilities addressed in this month’s release, a successful attacker would gain full control over the system if the user is logged in as an administrator.

“This is a good example of why privilege management is so important,” Goettl said. “It is hard to take admin rights back from a user once granted, but there are other methods to take away specific capabilities to take some of the risk out of that full administrator user as well.  It is recommended to look into options like this.”

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.