Vulnerabilities / Threats

1/9/2018
04:36 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft Patches Exploited Office Bug

An Office memory corruption vulnerability is the only CVE reported as under active attack for this month's Patch Tuesday.

Microsoft today released its first wave of Patch Tuesday updates for 2018. This included fixes for a total of 56 CVEs affecting Microsoft Windows, Microsoft Office, Internet Explorer, Microsoft Edge, ChakraCore, ASP.NET, and the .NET Framework. One flaw has been exploited.

Of these 56 vulnerabilities, 16 were ranked Critical, 38 Important, one Moderate and one Low severity. Today's release includes guidance for mitigating speculative execution side-channel vulnerabilities following the news of Meltdown and Spectre attacks.

The exploited bug patched today, CVE-2018-0802, is a Critical remote code execution vulnerability in Microsoft Office that exists when software doesn't properly handle objects in memory. An attacker who successfully exploited this could run code in the context of the current user, which would let them install programs, view and edit data, or create new accounts with full user rights. It's more dangerous for victims with administrative rights.

Exploitation would require a user to open a specially crafted file with an affected version of Microsoft Office or WordPad. A threat actor could conduct a phishing attack by sending the file via email and convincing the target to open it. In a web-based attack, the attacker could host a website (or compromise a website) with a file to exploit the Office bug.

"No details of the attacks are provided by Microsoft, but the lack of industry discussion likely means this is being used in a targeted attack," writes Dustin Childs of Trend Micro's Zero Day Initiative Communications. There are multiple Office flaws patched this month, all of which Childs says "should also be given a high deployment priority."

In its exploitability assessment, Microsoft reports CVE-2018-0802 has been exploited in the wild. It states that at the time of publication, exploitation is unlikely for both its latest software release and older software release. Affected versions range from Microsoft Office 2007 Service Pack 3 to Microsoft Word 2016, 64-bit edition.

Read more details on CVE-2018-0802, including all affected versions of Office, here.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
How to Engage Your Cyber Enemies
Guy Nizan, CEO at Intsights Cyber Intelligence,  12/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20228
PUBLISHED: 2018-12-19
Subsonic V6.1.5 allows internetRadioSettings.view streamUrl CSRF, with resultant SSRF.
CVE-2018-20230
PUBLISHED: 2018-12-19
An issue was discovered in PSPP 1.2.0. There is a heap-based buffer overflow at the function read_bytes_internal in utilities/pspp-dump-sav.c, which allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
CVE-2018-20231
PUBLISHED: 2018-12-19
Cross Site Request Forgery (CSRF) in the two-factor-authentication plugin before 1.3.13 for WordPress allows remote attackers to disable 2FA via the tfa_enable_tfa parameter due to missing nonce validation.
CVE-2018-20227
PUBLISHED: 2018-12-19
RDF4J 2.4.2 allows Directory Traversal via ../ in an entry in a ZIP archive.
CVE-2018-19790
PUBLISHED: 2018-12-18
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restricti...