Microsoft's Patch Tuesday for this month falls the day before the most romantic day of the year.
The critical update patches serious security flaws in Edge browser and Outlook client, an RCE in Windows' StructuredQuery component, and several memory corruption bugs in the scripting engines used by Edge and Internet Explorer.
Fourteen of the security updates are listed as critical, 34 are rated as important, and 2 of them are rated as moderate in severity.
Critical Microsoft Edge Vulnerability
Another critical flaw, which is an information disclosure vulnerability (CVE-2018-0763), resides in Microsoft Edge that exists due to Microsoft Edge's improperly handling of objects in the memory.
An attacker can exploit this vulnerability to successfully obtain sensitive information to compromise the victim's machine further.
"To exploit the vulnerability, in a web-based attack scenario, an attacker could host a website in an attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability," Microsoft explains.
"However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could trick a user into clicking a link that takes the user to the attacker's site."
Other critical issues include several Scripting Engine Memory Corruption vulnerabilities in Microsoft Edge that could be exploited to achieve remote code execution in the context of the current user.
Microsoft Edge flaw (CVE-2018-0839), rated as important, is an information disclosure vulnerability that exists due to Microsoft Edge improper handling of objects in the memory.
Successful exploitation of the bug could allow attackers to obtain sensitive information to compromise the user's system further.
Internet Explorer also got a patch to address an information disclosure vulnerability (CVE-2018-0847), rated important, that would let a webpage use VBScript to fetch stored information from memory.
Publicly Disclosed Vulnerability Before Being Patched
Although the list of patched vulnerabilities does not include any zero-day flaws, one of the security flaws (CVE-2018-0771) in Microsoft Edge was publicly known before the company released patches, but was not listed as being under active attack.
Listed as Moderate, the issue is a Same-Origin Policy (SOP) bypass vulnerability which occurs due to Microsoft Edge's improper handling of requests of different origins.
The vulnerability could allow an attacker to craft a webpage to bypass the SOP restrictions and get the browser to send data from other sites--requests that should otherwise be ignored due to the SOP restrictions on place.
Meanwhile, Adobe on Tuesday also released security updates for its Acrobat, Reader and Experience Manager products to address a total of 41 security vulnerabilities, out of which 17 are rated as critical and 24 important in severity.
Users are strongly advised to apply security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers.
For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.
0 comments:
Post a Comment