Windows patches: Microsoft kills off Word's under-attack Equation Editor, fixes 56 bugs

Microsoft removes Equation Editor from Word after finding more attacks on Office users.

Video: Microsoft offers new Windows security features with free 90-day taster

Microsoft has released its first Patch Tuesday security update for 2018, which brings fixes for 56 flaws, as well as Adobe Flash updates, and a fix for a new Office vulnerability caused by Word's built-in Equation Editor that's already under attack.

The regular Patch Tuesday update follows Microsoft's troublesome January 3 emergency patches for the Meltdown and Spectre CPU attacks, which have caused confusion for users of some third-party antivirus products and problems for some AMD systems.

Of the fixes 56 vulnerabilities in this update, Microsoft has revisited the 17-year-old Equation Editor flaw in Office it patched in November.

A cybercriminal gang began exploiting that flaw soon after Microsoft released the patch. According to Microsoft, someone else has since been using a related Office memory corruption flaw in remote attacks that are possibly using specially crafted Office or WordPad files.

Researchers at Palo Alto Networks found thousands of attempts to exploit this flaw after the November patch, including one that targeted organizations in Europe. Disguised as a bogus invoice, it installed the FormBook information stealing trojan.

screen-shot-2018-01-10-at-11-20-20.png

Here is a vulnerability summary for Microsoft's January 2018 Patch Tuesday.

Image: Rapid 7

Rather than patch the flaw, Microsoft has decided to remove Equation Editor from Word altogether and has recommended using a third-party app called MathType to edit equations in the removed software. Despite the new attacks, Microsoft says exploitation is unlikely.

All 16 of this month's critical bugs stem from scripting engine flaws affecting Microsoft's Edge and Internet Explorer. Half of the scripting engine bugs were reported by researchers at Google's Project Zero.

Download now: Encryption policy (free PDF)

As noted by Rapid 7, 13 of these browser issues are remote code execution flaws. There are also 38 bugs rated as important, one moderate issue, and a single low-severity issue.

Microsoft fixed a total of 19 Office flaws in this update, including four remote code execution flaws in Word that are rated as important.

Additional updates address bugs in Windows, SMB Server, the Windows Subsystem for Linux, the Windows kernel, .NET Framework, and .ASP.NET

Microsoft released three advisories this month, including its guidance on how to mitigate the Meltdown and Spectre attacks, a note on new defense-in-depth features for Office, and Adobe's latest Flash updates.

Previous and related coverage

Windows Meltdown-Spectre fix: How to check if your AV is blocking Microsoft patch

Antivirus firms are playing patch catch-up, as Microsoft releases Meltdown firmware updates for Surface devices.

Windows Meltdown-Spectre patches: If you haven't got them, blame your antivirus

Microsoft says your antivirus software could stop you from receiving the emergency patches issued for Windows.

Read more on Microsoft

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All