It's July 2017 – and your expensive HoloLens can be pwned over Wi-Fi
Augmented Reality bites. Plus: Update Windows boxes, Flash ASAP
Patch Tuesday Microsoft's HoloLens may only be in the hands of developers, but that hasn't stopped researchers from finding major security holes in the augmented reality headset.
Critical fixes for HoloLens were among the 57 CVE-listed flaws Redmond had to address in this month's edition of Patch Tuesday. Of the 57 bugs blasted in various Microsoft products, 19 are listed as critical and 24 could potentially allow for remote code execution. Four vulnerabilities were disclosed publicly before today's patches landed, but none are being targeted in the wild at the moment.
In addition to security fixes for the usual suspects – Internet Explorer, Edge, Windows, and Office – the July updates include patches for exploitable bugs in .NET Framework and Microsoft Exchange Server.
Just one of the four publicly known vulns is considered critical, and fortunately it is for a product not many people are using at the moment: Microsoft HoloLens.
CVE-2017-8584 is a remote code execution vulnerability present in the handling of Wi-Fi packets by the HoloLens firmware. Microsoft says an attacker who exploited the flaw (via a malformed Wi-Fi packet) would then be able to take control of HoloLens, including the ability to "install programs; view, change, or delete data; or create new accounts with full user rights."
As is usually the case, the bulk of the critical fixes apply to the Internet Explorer and Edge browsers. Those include memory corruption errors in both browsers as well as multiple memory corruption flaws in the Scripting Engine for both browsers that would allow a malicious webpage to achieve remote code execution.
Also catching the eye of security researchers is CVE-2017-8463, a remote code execution flaw in Windows Explorer that is considered critical in all supported versions of Windows and Windows Server.
"An attacker would need to use a bit of social engineering to successfully achieve code execution," writes Dustin Childs of Zero Day Initiative.
"They would need to share both a folder and a piece of malware named with an executable extension, and then trick the user into thinking that the malware was the folder. These types of bugs are commonly used in phishing campaigns and ransomware attacks."
Buried elsewhere among the fixes is a months-old flaw in the Microsoft NT LAN Manager. That vulnerability, detailed to The Reg by researchers at Preempt, would potentially leave the door open for man-in-the-middle attacks.
Office, meanwhile, is once again the subject of remote code execution vulnerabilities (CVE-2017-0243, CVE-2017-8501, CVE-2017-8502) that can be exploited by opening malformed documents. Because the exploit requires the user to manually launch the files, the bugs are reduced to "important" status by Microsoft, though many admins know all too well that users can be tricked into opening an attachment just as easily as clicking on a link.
Meanwhile, Adobe has a (relatively) meager three CVE-listed vulnerabilities to clean up in Flash Player this month. Of those, one (CVE-2017-3099) is a critical memory corruption bug, another (CVE-2017-3080) allows security feature bypass, and the third (CVE-2017-3100) allows memory addresses to be leaked.
While Adobe is releasing the Flash Player patch for Windows, macOS and Linux, users running Chrome, Edge and Internet Explorer 11 (Windows 8.1 and later) should get the updates automatically. ®