Don't just grab your CPU bug updates – there's a nasty hole in Office, too

It's 2018 and a Word doc can still pwn your Windows computer

By Shaun Nichols in San Francisco

Posted in Security, 9th January 2018 22:16 GMT

Patch Tuesday In case you've been hiding under a rock for the entirety of this new year (and we don't blame you if you have) there are a handful of major security flaws that have been dominating the news, and feature prominently in this month's Patch Tuesday update load.

First, let's look at the latest developments in the Meltdown/Spectre saga:

Nvidia, IBM deliver Spectre patches

Nvidia has got around to kicking out graphics driver updates that address the Spectre flaws present in its code – for example, here are some patches for Ubuntu. IBM is also due to release Spectre mitigations for its POWER server line today.

Microsoft AMD-bricking Spectre update yanked

Meanwhile, Microsoft has pulled down KB4056892, the Spectre bug fix that was found to be causing some AMD machines to crash on startup. The Redmond giant now says it is working with AMD to get a compatible patch out ASAP, but in the meantime Athlon machines will not be getting the Spectre update (AMD CPUs are not susceptible to Meltdown, an Intel-specific condition.)

And now back to your regularly scheduled patch headache

The January edition of Microsoft's Patch Tuesday release is a formidable update in its own right, containing updates for 56 CVE-listed flaws including an actively targeted flaw in Office, and critical vulnerabilities in Edge and Internet Explorer.

Microsoft said that CVE-2018-0802, a remote code execution hole in Office, is already being targeted in the wild. The flaw is triggered when the target opens a malformed Word file in Office or WordPad.

As usual, a good chunk of the CVEs (15 in this case) were for vulnerabilities in the scripting engine used by Edge and Internet Explorer. These flaws, none of which have been targeted in the wild yet, would allow remote code execution by way of a specially-crafted website that triggered a memory corruption error.

One flaw catching the eye of security researchers is CVE-2018-0786, a certificate validation bypass.

"This patch addresses a vulnerability in .NET Framework (and .NET Core) that prevents these components from completely validating a certificate," explained Dustin Childs from Trend Micro's Zero Day Initiative.

"This is definitely the sort of bug malware authors seek, as it could allow their invalid certificates to appear valid."

Another flaw in .NET, CVE-2018-0785, leaves users vulnerable to account hijacking by way of a cross-site forgery attack.

"An attacker who successfully exploited this vulnerability could change the recovery codes associated with the victim's user account without his/her consent," said Microsoft.

"As a result, a victim of this attack may be permanently locked out of his/her account after losing access to his/her 2FA device, as the initial recovery codes would be no longer valid."

In addition to the already-mentioned CVE-2018-0802, Word was the subject of nine other remote code execution and memory disclosure vulnerabilities. Updating Office to close up those holes should be among the top priorities for administrators.

Office for Mac should also be updated, as a spoofing vulnerability (CVE-2018-0819) has been publicly disclosed. Because Outlook for Mac does not properly display or handle email addresses, phishing emails could skip past antivirus and spam filters to appear as genuine.

Grab your Android updates – where available

While we're on the subject of security bugs, don't forget to patch your Android devices with this month's code remedies, if you can. Not every device gets every Android update straight away, if at all.

Last week, amid all the Meltdown and Spectre fanfare, Google published its January batch of updates, which included mitigations against Spectre oversights in Arm processors as well as updates to address 38 other CVE-listed vulnerabilities. These exploitable holes include three remote code execution flaws in the Android media framework, and one in the system software.

Just one Flash fix from Adobe

Meanwhile, the lone update from Adobe this month is for an out of bounds read flaw (CVE-2018-4871) that could allow for information disclosure. No active exploits have been reported. Trend Micro Zero Day Initiative was credited with the discovery. ®

Sign up to our NewsletterGet IT in your inbox daily

28 Comments

More from The Register

OpenFlow protocol has a switch authentication vulnerability

It's old, it's everywhere and it's not likely to be fixed in a hurry

It gets worse: Microsoft’s Spectre-fixer wrecks some AMD PCs

Updated KB4056892 is not your friend if you run an Athlon

AMD scores EPYC gig powering new Azure instances

Don't pop the champagne yet: Microsoft's still using Intel in same series

Cray snuggles up with AMD: Clustered super CS500 lets in Epyc chip

Oh dear, Intel... look who's getting cosy with Cray

Security hole in AMD CPUs' hidden secure processor code revealed ahead of patches

Googler drops bug bomb in public – but don't panic

AMD lures Cisco's server CTO into Epyc new data center gig

Exclusive He's also a player on the Transaction Processing Performance Council

Beat Wall St estimates, share price falls 5%. Who else but... AMD?

Chipmaker grows revenues 34 per cent, investors are meh

Guess who else Spectre is haunting? Yes, it's AMD. Four class-action CPU flaw lawsuits filed

Punters not happy with handling of vulnerability confessions

CTS who? AMD brushes off chipset security bugs with firmware patches

Just give it a few weeks notice next time, not 24 hours

Cheap-ish. Not Intel. Nice graphics. Pick, er, 3: AMD touts Ryzen Pro processors for business

Quickly follows 2018's Pro Mobile parts