Microsoft Fixes Two Security Flaws in Outlook

  /     /     /  
Publicated : 22/11/2024   Category : security


Microsoft Fixes Two Security Flaws in Outlook


February security patches include updates for 50 vulnerabilities, 14 of which are critical.



A critical memory corruption vulnerability in Microsoft Outlook that can be exploited via the Preview Pane feature of the email program was fixed today amid a flurry of patches in Microsofts February Patch Tuesday security update.
The Outlook flaw (
CVE-2018-0852
) could be exploited by an attacker to execute malicious code remotely, and if the victim user operates with administrative user rights, the attacker could wrest control of the entire system, Microsoft said in the security update.
Microsoft this month overall has issued patches for some 50 vulnerabilities, including 14 flagged as critical.
Dustin Childs, communications manager for Trend Micros ZDI team, says the Outlook flaw should be a priority, especially since merely viewing a malicious email in the Preview Pane could allow the attack to execute. Even more than the publicly known bugs, this CVE falls into the “Patch Now!” category, Childs wrote in a
blog post
today. The end user targeted by such an attack doesnt need to open or click on anything in the email – just view it in the Preview Pane. If this bug turns into active exploits – and with this attack vector, exploit writers will certainly try – unpatched systems will definitely suffer.
Microsoft also patched a second Outlook flaw, an elevation of privilege bug, that (
CVE-2018-0850
) tied to Outlooks processing of incoming messages. It doesnt properly validate the email format, so an attacker could use that flaw to load a local or remote message store via SMB, according to Microsoft. An attacker would have to send a malicious email to the victim to initiate the attack.
Outlook attempts to open the pre-configured message on receipt of the email. You read that right – not viewing, not previewing, but upon receipt. That means there’s a potential for an attacker to exploit this merely by sending an email, ZDIs Childs said. 
Also among the patches in
this months Patch Tuesday
were updates to Internet Explorer, Microsoft Edge, Windows, MChakraCore, and Adobe Flash.
Related Content:
Microsoft Adds Windows Defender ATP Support to Windows 7, 8.1
North Korean APT Group Employed Rare Zero-Day Attack
7 Ways to Maximize Your Security Dollars
Microsoft Patches Exploited Office Bug
 
 
 
Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the
conference
 and
to register.

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Fixes Two Security Flaws in Outlook