Microsoft's January update contains security updates for Edge, Office, and Windows Local Security Authority Subsystem Service. Adobe also released its January updates for Flash Player, Acrobat and Reader.
The Edge patch fixes an elevation of privilege bug that could be exploited if a user visits a malicious webpage. Microsoft notes that “Edge does not properly enforce cross-domain policies with about:blank, which could allow an attacker to access information from one domain and inject it into another domain.”
The fix for Office addresses flaw in Word 2016 that could allow remote code execution if a user opens a rigged Office file. “An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user,” says Microsoft, which rated the issue important rather than critical.
According to security firm Qualys, the most important bug for Windows Server 2008 admins to fix in this update is a denial of service issue affecting how Local Security Authority Subsystem Service (LSASS) handles authentication requests. Details of the bug were published before this patch, according to Microsoft.
“An attacker who successfully exploited the vulnerability could cause a denial of service on the target system's LSASS service, which triggers an automatic reboot of the system,” says Microsoft.
Microsoft also notes that the Edge vulnerability was publicly disclosed prior to today’s patch.
Johannes Ullrich of the Internet Storm Center reckons this three-bulletin update was the lightest Microsoft has ever delivered, however that's likely due to a shortage of working hours over the Christmas break rather than a lack of bugs to fix.
Microsoft’s fourth Flash-related security bulletin addresses 13 vulnerabilities that Adobe disclosed today in its first security bulletin for the year. Adobe says it’s not aware of any exploits in the wild for these flaws, however all the Flash bugs are rated critical and all but one could lead to remote code execution if an Internet Explorer users visits an attack page.
Adobe released an important patch Reader and Acrobat for Windows and Macs, fixing a total of 29 bugs. All of the bugs could be lead to remote code execution with the exception of one security bypass vulnerability.
- NIST to add over 200,000 Android and iOS apps to forensics toolkit
- Microsoft to disable Adobe Flash by default in Edge
- Ransom attackers plunder over 3,000 Elasticsearch clusters in days
- Dutch dev stole 20,000 passwords from websites he built for businesses
- Microsoft's Edge browser to raise the cost of hacking Windows 10