Don't just grab your CPU bug updates – there's a nasty hole in Office, too

It's 2018 and a Word doc can still pwn your Windows computer

By Shaun Nichols in San Francisco


Patch Tuesday In case you've been hiding under a rock for the entirety of this new year (and we don't blame you if you have) there are a handful of major security flaws that have been dominating the news, and feature prominently in this month's Patch Tuesday update load.

First, let's look at the latest developments in the Meltdown/Spectre saga:

Nvidia, IBM deliver Spectre patches

Nvidia has got around to kicking out graphics driver updates that address the Spectre flaws present in its code – for example, here are some patches for Ubuntu. IBM is also due to release Spectre mitigations for its POWER server line today.

Microsoft AMD-bricking Spectre update yanked

Meanwhile, Microsoft has pulled down KB4056892, the Spectre bug fix that was found to be causing some AMD machines to crash on startup. The Redmond giant now says it is working with AMD to get a compatible patch out ASAP, but in the meantime Athlon machines will not be getting the Spectre update (AMD CPUs are not susceptible to Meltdown, an Intel-specific condition.)

And now back to your regularly scheduled patch headache

The January edition of Microsoft's Patch Tuesday release is a formidable update in its own right, containing updates for 56 CVE-listed flaws including an actively targeted flaw in Office, and critical vulnerabilities in Edge and Internet Explorer.

Microsoft said that CVE-2018-0802, a remote code execution hole in Office, is already being targeted in the wild. The flaw is triggered when the target opens a malformed Word file in Office or WordPad.

As usual, a good chunk of the CVEs (15 in this case) were for vulnerabilities in the scripting engine used by Edge and Internet Explorer. These flaws, none of which have been targeted in the wild yet, would allow remote code execution by way of a specially-crafted website that triggered a memory corruption error.

One flaw catching the eye of security researchers is CVE-2018-0786, a certificate validation bypass.

"This patch addresses a vulnerability in .NET Framework (and .NET Core) that prevents these components from completely validating a certificate," explained Dustin Childs from Trend Micro's Zero Day Initiative.

"This is definitely the sort of bug malware authors seek, as it could allow their invalid certificates to appear valid."

Another flaw in .NET, CVE-2018-0785, leaves users vulnerable to account hijacking by way of a cross-site forgery attack.

"An attacker who successfully exploited this vulnerability could change the recovery codes associated with the victim's user account without his/her consent," said Microsoft.

"As a result, a victim of this attack may be permanently locked out of his/her account after losing access to his/her 2FA device, as the initial recovery codes would be no longer valid."

In addition to the already-mentioned CVE-2018-0802, Word was the subject of nine other remote code execution and memory disclosure vulnerabilities. Updating Office to close up those holes should be among the top priorities for administrators.

Office for Mac should also be updated, as a spoofing vulnerability (CVE-2018-0819) has been publicly disclosed. Because Outlook for Mac does not properly display or handle email addresses, phishing emails could skip past antivirus and spam filters to appear as genuine.

Grab your Android updates – where available

While we're on the subject of security bugs, don't forget to patch your Android devices with this month's code remedies, if you can. Not every device gets every Android update straight away, if at all.

Last week, amid all the Meltdown and Spectre fanfare, Google published its January batch of updates, which included mitigations against Spectre oversights in Arm processors as well as updates to address 38 other CVE-listed vulnerabilities. These exploitable holes include three remote code execution flaws in the Android media framework, and one in the system software.

Just one Flash fix from Adobe

Meanwhile, the lone update from Adobe this month is for an out of bounds read flaw (CVE-2018-4871) that could allow for information disclosure. No active exploits have been reported. Trend Micro Zero Day Initiative was credited with the discovery. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Apache Hadoop spins cracking code injection vulnerability YARN

Loose .zips sink chips 2: Electric Boogaloo

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

SoftNAS no longer a soft touch for hackers (for now)... Remote-hijacking vulnerability patched

Your files are someone else's files, too, thanks to storage bug

OpenFlow protocol has a switch authentication vulnerability

It's old, it's everywhere and it's not likely to be fixed in a hurry

Russia's national vulnerability database is a bit like the Soviet Union – sparse and slow

By design, though, not... er, general rubbishness

German e-government SDK patched against ID spoofing vulnerability

Alice becomes Bob

Google’s Android Emulator gains AMD and Hyper-V support

But Intel’s HAXM is still ‘Droid’s preferred hypervisor

Hmm, there's something fishy about this graph charting AMD's push into Intel's server turf

Epyc chips nibble bits off Xeon's x86 revenue share

Monday: Intel teases 48-core Xeon. Tuesday: AMD whips covers off 64-core second-gen Epyc server processor

Chipzilla more like Tyrannosaurus Rekt

On the first day of Christmas, Microsoft gave to me... an emergency out-of-band security patch for IE

Update Internet Explorer now after Google detects attacks in the wild