{"id":11492,"date":"2018-02-14T12:30:01","date_gmt":"2018-02-14T20:30:01","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/02\/14\/news-5263\/"},"modified":"2018-02-14T12:30:01","modified_gmt":"2018-02-14T20:30:01","slug":"news-5263","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/02\/14\/news-5263\/","title":{"rendered":"February patches bring ominous Outlook fixes and a rebirth of KB 2952664"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Wed, 14 Feb 2018 10:44:00 -0800<\/strong><\/p>\n

The very early reports are in<\/a>, and it looks like this month\u2019s monstrous panoply of patches isn\u2019t as destructive as last month\u2019s \u2013 so far, at least. Aside from a few reported incompatibilities, the big news involves two Outlook security holes that kick in when you download email, or preview a message. There are no known exploits, but if you use Outlook, you need to understand the dangers \u2013 and should seriously consider patching sooner rather than later.<\/span><\/p>\n

First, the blast. Yesterday, Microsoft released its usual Patch Tuesday security updates, which include\u00a0<\/span>50 separately identified security holes<\/span><\/a> (CVEs). Those 50 are in addition to the one Adobe Flash Player security hole, <\/span>CVE 4074595<\/span><\/a>, that was plugged on Feb. 6. Of the 50, 14 are rated Critical, 34 rated Important (which means they aren\u2019t) and two are Moderate. <\/span><\/p>\n

As usual, Martin Brinkmann at <\/span>Ghacks.net has a detailed list<\/span><\/a>.<\/span><\/p>\n

There are no known exploits in the wild for any of the security holes at this point. But\u2026.<\/span><\/p>\n

Two of the security holes, CVE-2018-0852 and CVE-2018-0850, were both discovered by Microsoft employee Nicolas Joy, both described in full and publicly patched \u2013 as opposed to being buried in some nameless update. Dustin Childs, posting on Trend Micro\u2019s <\/span>Zero Day Initiative web site<\/span><\/a>, explains why they\u2019re so bothersome. Describing the first security hole, Childs says:<\/span><\/p>\n

What\u2019s truly frightening with this bug is that the Preview Pane is an attack vector, which means simply viewing an email in the Preview Pane could allow code execution. The end user targeted by such an attack doesn\u2019t need to open or click on anything in the email \u2013 just view it in the Preview Pane. <\/span><\/p>\n

For the second security hole:<\/span><\/p>\n

This bug occurs when an attacker sends a maliciously crafted email to a victim. The email would need to be fashioned in a manner that forces Outlook to load a message store over SMB. Outlook attempts to open the pre-configured message on receipt of the email. You read that right \u2013 not viewing, not previewing, but upon receipt. That means there\u2019s a potential for an attacker to exploit this merely by sending an email. <\/span><\/p>\n

To be really blunt: If you\u2019re using Outlook 2007, 2010, 2013, or 2016 \u2013 the installed versions \u2013 you\u2019ll be vulnerable to drive-by email attacks by previewing a bad email or just by downloading a rigged email. No, you don\u2019t need to open the email. It just infects.<\/span><\/p>\n

Fortunately, there aren\u2019t any known exploits. But anyone with installed versions of Outlook should seriously consider installing the patch for Outlook 2007 (<\/span>KB 4011200<\/span><\/a>, four months beyond its end-of-support date), Outlook 2010 (<\/span>KB 4011711<\/span><\/a>), Outlook 2013 (<\/span>KB 4011697<\/span><\/a>), and\/or Outlook 2016 (<\/span>KB 4011682<\/span><\/a>). <\/span><\/p>\n

If you use Office 2016 Click-to-Run, the patches will appear the next time <\/span>CtR updates itself<\/span><\/a>, with version 1708 build 8431.2215 in the Semi-Annual Channel and 1705 build 8201.2258 in the Deferred Channel.<\/span><\/p>\n

If you don\u2019t use Outlook, you needn\u2019t be concerned. The infection vector only passes through Outlook.<\/span><\/p>\n

Our old favorite snooping nemeses, KB 2952664 (for Win7) and KB 2976978 (for 8.1) <\/span>make a re-appearance<\/span><\/a>, this time as \u201cImportant\u201d and checked. They have a new duty: Starting this month, Microsoft feeds <\/span>Meltdown\/Spectre vulnerability information<\/span><\/a> into its Azure-based Windows Analytics package using telemetry from those patches. If you\u2019re running Windows Analytics and you don\u2019t want to use <\/span>Steve Gibson\u2019s inSpectre<\/span><\/a>, the patches are worthwhile, snooping and all. If you don\u2019t plan to upgrade to Win10, and don\u2019t care about an Azure-based snooping tool, there\u2019s no reason to install KB 2952664 or KB 2976978 .<\/span><\/p>\n

Microsoft has also re-released its <\/span>Security Advisory ADV180002<\/span><\/a>, to announce that it\u2019s slowly dribbling out Meltdown\/Spectre protection for 32-bit versions of Windows:<\/span><\/p>\n

Microsoft has released security updates to provide additional protections for the 32-bit (x86) versions of Windows 10 as follows: 4074596 for Windows 10, 4074591 for Windows 10 Version 1511, 4074590 for Windows 10 Version 1607, and 4074592 for Windows 10 Version 1703. Microsoft recommends that customers running 32-bit systems install the applicable update as soon as possible. Microsoft continues to work to provide 32-bit (x86) protections for other supported Windows versions but does not have a release schedule at this time. <\/span><\/p>\n

Worth repeating: There are not, and never have been, any Meltdown\/Spectre exploits known to be in the wild. If attacks come, they\u2019re far more likely to appear in browsers \u2013 and the browser manufacturers have been scurrying to guard against problems. A textbook example of tempest in a patching teapot.<\/span><\/p>\n

A few additional notes:<\/span><\/p>\n

It\u2019s still much too early to give this month\u2019s patches a clean bill of health, but at least we aren\u2019t seeing the mass mayhem that accompanied last month\u2019s patches. If you don\u2019t use the installed version of Outlook, there aren\u2019t any pressing problems. Sit back and wait for the unpaid beta testers\u2019 screams to subside.<\/span><\/p>\n

Thanks to all of the explorers and explainers on AskWoody — PKCano, MrBrian, Abbodi86, AJNorth, and many others.<\/span><\/p>\n

Patching problem? Post it on the <\/span><\/i>AskWoody Lounge<\/span><\/i><\/a>.<\/span><\/i><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Wed, 14 Feb 2018 10:44:00 -0800<\/strong><\/p>\n

\n
\n

The very early reports are in<\/a>, and it looks like this month\u2019s monstrous panoply of patches isn\u2019t as destructive as last month\u2019s \u2013 so far, at least. Aside from a few reported incompatibilities, the big news involves two Outlook security holes that kick in when you download email, or preview a message. There are no known exploits, but if you use Outlook, you need to understand the dangers \u2013 and should seriously consider patching sooner rather than later.<\/span><\/p>\n

First, the blast. Yesterday, Microsoft released its usual Patch Tuesday security updates, which include\u00a0<\/span>50 separately identified security holes<\/span><\/a> (CVEs). Those 50 are in addition to the one Adobe Flash Player security hole, <\/span>CVE 4074595<\/span><\/a>, that was plugged on Feb. 6. Of the 50, 14 are rated Critical, 34 rated Important (which means they aren\u2019t) and two are Moderate. <\/span><\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[714,10761],"class_list":["post-11492","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-security","tag-windows-10"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11492","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11492"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11492\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11492"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11492"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11492"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}