Microsoft, Adobe February 2018 security updates: An overview
The Microsoft February 2018 security updates are for Internet Explorer, Edge, Windows, Office, Office Services and Web Apps, Adobe Flash, and ChakraCore (the core part of the Chakra Javascript engine that powers Microsoft Edge).
Jimmy Graham, director of product management at Qualys, considers the Adobe Flash update and that for StructuredQuery in Windows servers and workstations to be the most critical and best implemented as soon as possible.
The former plugs the Flash zero-day bug that is being actively exploited in the wild (CVE-2018-4878), and the latter a critical remote code execution vulnerability (CVE 2018-0825) that can be triggered by a user opening a specially crafted file (delivered via email or compromised website).
“Once again the Microsoft Scripting Engine takes up the wide majority of Critical vulnerabilities,” noted Karl Sigler, a threat intelligence manager at Trustwave.
“These vulnerabilities are bugs in how the Scripting Engine executes scripting languages like Javascript or VBscript. This would affect Microsoft browsers like Edge and IE but also Office documents with macro scripts.” These patches should be prioritized on workstations.
Another critical bug squashed is a memory corruption vulnerability in Outlook (CVE 2018-0852), which can be exploited to achieve remote code execution. Exploitation can be triggered by opening a malicious attachment or viewing the email in Outlook’s Preview Pane.
“If this bug turns into active exploits – and with [the Preview Pane] vector, exploit writers will certainly try – unpatched systems will definitely suffer,” noted Trend Micro Zero Day Initiative’s Dustin Childs pointed out.
Finally, it’s good to note that Microsoft has updated the SPECTRE advisory to say that they’ve released security updates to provide additional protections for the 32-bit (x86) versions of Windows 10 and that customers running these systems should install the applicable update as soon as possible.
“Microsoft continues to work to provide 32-bit (x86) protections for other supported Windows versions but does not have a release schedule at this time,” they added.
Adobe updates
After the Flash update released last week that fixed the aforementioned zero-day bug actively exploited in the wild, Adobe has pushed out security updates to address vulnerabilities in Adobe Experience Manager, Acrobat, and Acrobat Reader.
But while the Adobe Experience Manager update fixes only two vulnerabilities that could lead to disclosure of sensitive information, the Adobe Acrobat and Acrobat Reader updates are more critical: they plug a considerable number of flaws that can lead to arbitrary code execution, remote code execution, or can be exploited for privilege escalation.