It's now 2017, and your Windows PC can still be pwned by a Word file
Also: Edge is foiled by hyperlinks, Windows Server fails at authentication requests, and Microsoft is a $486bn company
Microsoft has begun its 2017 with the release of four updates to address security holes in Windows and Office, while Adobe has posted fixes for more than three dozen vulnerabilities in Flash and Reader.
Microsoft's January patch load includes:
- MS17-001, a fix for the Edge browser to address a flaw that would let a malicious page gain elevated access privileges when the user clicks on a link.
"An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies with about:blank, which could allow an attacker to access information from one domain and inject it into another domain," Microsoft says of CVE-2017-0002.
The update will only be pushed out to Windows 10 and Server 2016.
- MS17-002 addresses a memory corruption issue in Office that allows for remote code execution in Office 2016 and SharePoint Enterprise Server 2016.
The flaw, designated CVE-2017-0003, allows a specially crafted Word file to take control of the target system with the current user's access privileges. The vulnerability was spotted by Tony Loi of FortiGuard Labs.
- MS17-003 is Microsoft's edition of the January Flash Player update to remedy 12 security flaws. The patch will be automatically pushed to Windows users running Microsoft Edge or Internet Explorer 11.
- MS17-004 addresses a denial of service vulnerability in Local Security Authority Subsystem Service for older versions of Windows and Windows Server.
Microsoft says that an attacker who sent a specially crafted authentication request to the targeted Windows (Vista through 7) or Windows Server (2008 to 2008 R2) box could trigger an automatic reset. Discovery of the flaw, CVE-2017-0004, was credited to Nicolás Economou and Laurent Gaffie from Core Security.
Meanwhile, Adobe is updating both Flash Player and Acrobat/Reader for Windows, macOS, and Linux desktops.
The Flash Player update covers 13 vulnerabilities, none of which have been actively targeted in the wild yet. Adobe is rating the fix as a critical priority for both Windows and macOS systems, as a successful exploit could allow for remote code execution. Linux systems are thought to be at lower risk for attack, but should still install the update as needed.
The Adobe Acrobat and Reader update patches up 29 CVE-listed problems, including a number of remote code execution flaws in both Windows and macOS. Adobe says it has not yet received reports of active exploits in the wild.
By the way, if you update Reader, bear in mind it comes with a little surprise: a Chrome extension that sends Adobe telemetry. ®