Use Microsoft Outlook? Update now to fix these two dangerous bugs

Microsoft's February patches include its mitigations for Meltdown-Spectre CPU attacks in its Security Only update.
Written by Liam Tung, Contributing Writer

Microsoft has released patches for 50 bugs affecting its products, including two dangerous Outlook bugs.

The February updates address security flaws in Internet Explorer, Edge, Microsoft's ChakraCore JavaScript engine, Windows, and Office.

Two worrying bugs fixed this month affected Outlook. One, a memory-corruption flaw, identified as CVE-2018-0852, could allow an attacker to run arbitrary code.

Microsoft says exploitation of this flaw is "less likely" and that an attacker would need to trick a victim into opening a file or visiting an attack site. However, it also notes that an attack vector is the Preview Pane.

As Trend Micro's Zero Day Initiative (ZDI) notes, a target wouldn't need to open or click anything in a malicious email, only view it in the Preview Pane.

"This CVE falls into the 'Patch now' category," ZDI's Dustin Childs warned.

The second Outlook bug that could be worth patching immediately is elevation-of-privilege vulnerability CVE-2018-0850, which stems from Outlook insufficiently validating the formatting of incoming messages before processing them.

An attacker could send a specially crafted email that forces Outlook to load a message store over SMB.

"That means there's a potential for an attacker to exploit this merely by sending an email," explained Childs.

Overall Microsoft's February update includes fixes for 14 critical flaws, 34 important flaws, and two moderate severity issues. None of the bugs is known to be under attack.

Microsoft already released a patch for an Adobe Flash Player zero-day attack affecting Internet Explorer last week, but it has also released it as part of the February monthly update.

Microsoft has also updated its frequently asked questions (FAQ) for its mitigations against the three variants of speculative side-channel execution CPU attacks known as Meltdown and Spectre.

In new items 12 and 13, Microsoft's notes that its 'Security Only' updates are not normally cumulative but it has decided to include the mitigations for Meltdown and Spectre in the February Security Only update, despite having done so in the January Security Only update. These include the updates for AMD-based devices.

It also notes that applying the February security updates will not disable mitigations for Spectre Variant 2 CVE 2017-5715 Branch Target Injection, which need to be addressed by Intel's so-far buggy microcode fix.

Microsoft released an out-of-band security update KB4078130 earlier this month, which disables the mitigation for Variant 2. This update was aimed at customers who had already installed firmware updates with Intel's microcode fix and needed them to be manually installed.

"Applying the February security updates on Windows client operating systems enables all three mitigations. On Windows server operating systems, you still need to enable the mitigations after proper testing is performed.

Alongside the February security update Microsoft released a new Windows Analytics feature to help enterprise customers check the status of devices with respect to the Meltdown and Spectre mitigations.

Previous and related coverage

Linux Meltdown patch: 'Up to 800 percent CPU overhead', Netflix tests show

The performance impact of Meltdown patches makes it essential to move systems to Linux 4.14.

Spectre reboot problems: Now Intel replaces its buggy fix for Skylake PCs

And offers patching tips from US CERT, which it failed to brief on the bugs.

Meltdown-Spectre: Malware is already being tested by attackers

Malware makers are experimenting with malware that exploits the Spectre and Meltdown CPU bugs.

Windows emergency patch: Microsoft's new update kills off Intel's Spectre fix

The out-of-band update disabled Intel's mitigation for the Spectre Variant 2 attack, which Microsoft says can cause data loss on top of unexpected reboots.

Meltdown-Spectre: Why were flaws kept secret from industry, demand lawmakers

Great work on patching your own products, but why were smaller tech companies kept in the dark?

Spectre flaw: Dell and HP pull Intel's buggy patch, new BIOS updates coming

Dell and HP have pulled Intel's firmware patches for the Spectre attack.

Windows 10 Meltdown-Spectre patch: New updates bring fix for unbootable AMD PCs

AMD PCs can now install Microsoft's Windows update with fixes for Meltdown and Spectre and the bug that caused boot problems.

Meltdown-Spectre: Intel says newer chips also hit by unwanted reboots after patch

Intel's firmware fix for Spectre is also causing higher reboots on Kaby Lake and Skylake CPUs.

26% of organizations haven't yet received Windows Meltdown and Spectre patchesTech Republic

Roughly a week after the update was released, many machines still lack the fix for the critical CPU vulnerabilities.

Bad news: A Spectre-like flaw will probably happen againCNET

Our devices may never truly be secure, says the CEO of the company that designs the heart of most mobile chips.

Editorial standards