Microsoft plugs 56 vulns, including Office flaw exploited in attacks

As part of the January 2018 Patch Tuesday, Microsoft has released fixes for 56 CVE-listed vulnerabilities, including the Meltdown and Spectre flaws, and an Office bug actively exploited by attackers.

Office flaw exploited in the wild

Security updates and patches for mitigating the risk of Meltdown and Spectre attacks have received much attention in the past days, but those released by Microsoft on Tuesday also deserve it.

As mentioned earlier, a flaw (CVE-2018-0802) in Microsoft Office 2007, 2010, 2013, and 2016 is being exploited in attacks in the wild.

It can be triggered by the opening of a specially crafted file with an affected version of Microsoft Office or Microsoft WordPad software and allows attackers to run arbitrary code in the context of the current user.

“If the current user is logged on with administrative user rights, an attacker could take control of the affected system,” Microsoft explained. “The security update addresses the vulnerability by removing Equation Editor functionality.”

The flaw was reported by researchers from Chinese security company Qihoo 360, Slovenian security outfit ACROS Security, and Check Point. The latter have written a technical blog post detailing the flaw and how it can be exploited.

Apparently, their research was spurred by an earlier discovery of a vulnerability (CVE-2017-11882) in the Office Equation 3.0 process, which was patched by Microsoft last November with a manual patch.

“The attack scenario is relatively straightforward – convince a user to open a specially crafted Office document. No details about the attacks are provided by Microsoft, but the lack of industry discussion likely means this is being used in a targetted attack,” noted Dustin Childs from Trend Micro’s Zero Day Initiative.

Other notable flaws

A certificate validation bypass vulnerability (CVE-2018-0786) in the Microsoft .NET Framework and .NET Core components can allow attackers to “present a certificate that is marked invalid for a specific use, but the component uses it for that purpose.”

As it has been pointed out by Childs, “this is definitely the sort of bug malware authors seek, as it could allow their invalid certificates to appear valid.”

CVE-2018-0819, a spoofing vulnerability in Microsoft Outlook for Mac, “may cause antivirus or antispam scanning to not work as intended.”

“To exploit the vulnerability, an attacker could send a specially crafted email attachment to a user in an attempt to launch a social engineering attack, such as phishing. The security update addresses the vulnerability by correcting how Outlook for MAC displays encoded email addresses,” Microsoft noted.

CVE-2018-0785 is a CSRF vulnerability that arises when an ASP.NET Core web application is created using vulnerable project templates and could be exploited by attackers to change the recovery codes associated with victims’ user account without their consent.

“As a result, a victim of this attack may be permanently locked out of his/her account after losing access to his/her 2FA device, as the initial recovery codes would be no longer valid,” Microsoft explained.

CVE-2018-0797 affects Microsoft Office, and can be exploited via a specially crafted RTF file. Again, if the victim is logged on with administrative user rights, an attacker could take control of the affected system.

Finally, Microsoft has also plugged 15 memory corruption and information disclosure vulnerabilities in Scripting Engine that have been deemed “critical.”