Microsoft January Patch Tuesday Fixes 56 Security Issues, Including a Zero-Day

LASER_oneXM · Jan 9, 2018

Earlier today, Microsoft published the January 2018 Patch Tuesday security updates, containing fixes for 56 vulnerabilities and three special security advisories with fixes for Adobe Flash, the Meltdown & Spectre flaws, and a defense-in-depth update for Office applications.

This month, things were a little messy. On January 3, Microsoft released an emergency out-of-band security update with fixes for the now infamous Meltdown and Spectre vulnerabilities. That emergency update was supposed to be part of today's Patch Tuesday, so you'll see it in the table below as well.

Besides fixes for the Meltdown and Spectre flaws, the January 3 out-of-band update also contained additional fixes for other security bugs. Those are also included in the table below.

Microsoft patches 0-day in Office Equation Editor component
But while the Meltdown and Spectre bugs seized everyone's attention this past week, today's Patch Tuesday updates deliver important fixes on their own.

The most important of these is a zero-day vulnerability in the Microsoft Office and Microsoft WordPad applications. Microsoft describes the flaw (CVE-2018-0802) as a memory corruption issue that allows attackers to execute code on a victim's PC. The flaw appears to reside in an old version of the Office Equation Editor component.

Microsoft acknowledged several researchers with discovering the flaw —Qihoo 360, Tencent, 0patch Team, and Check Point— and said

The OS maker addressed the zero-day by removing some of the Equation Editor's functionality.

A security firm pointed out that the Equation Editor was an antiquated and vulnerable component in November 2017. Cybercrime groups quickly moved to exploit the flaw. Now it appears that other groups found new methods to exploit the same component, after previous research pointed out it may be a weak spot in the Office suite.

Patch for Mailsploit attack
Also this month, Microsoft patched the Mailsploit vulnerability in Outlook for Mac (CVE-2018-0819) that allowed miscreants to send emails with spoofed identities.

Microsoft advisory ADV180001 also includes this month's Adobe Flash security updates, consisting of one bugfix for CVE-2018-4871 (out-of-bounds read that leads to information disclosure).

All in all, Microsoft patched bugs in Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, SQL Server, ChakraCore, .NET Framework, .NET Core, and ASP.NET Core.

Below is a table listing of all the security issues Microsoft fixed this month. We used PowerShell and the Microsoft API to assemble the table below, but the report is much longer. We hosted the full report on GitHub, here.

If you're not interested in all security updates and you'd like to filter updates per product, you can use Microsoft's official Security Update Guide, available here.

......
...
.......
....
......
..
.........

shmu26 · Jan 10, 2018

I got windows and office updates on jan 3-4, and only office updates on jan 9-10.
Am I missing anything?
My AV is windows defender, so I should be getting whatever microsoft has to give...
Win 10 pro x64 RS3

shmu26 · Jan 10, 2018

shmu26 said:
I got windows and office updates on jan 3-4, and only office updates on jan 9-10.
Am I missing anything?
My AV is windows defender, so I should be getting whatever microsoft has to give...
Win 10 pro x64 RS3

To answer my own question, it looks like only windows 7 got updates on jan 9.
Win 10 did not get anything new.

LASER_oneXM · Jan 10, 2018

^^ i have here two laptops with win7 and win8.1: new updates available on both machines.

shmu26 · Jan 10, 2018

LASER_oneXM said:
^^ i have here two laptops with win7 and win8.1: new updates available on both machines.

On the win 8 machine, are the updates for office applications, or for windows? Did you receive the windows update on jan 3-4?

SHvFl · Jan 10, 2018

shmu26 said:
On the win 8 machine, are the updates for office applications, or for windows? Did you receive the windows update on jan 3-4?

No windows updates today for win10 as we had those last week with the cumulative update. Only around 10 updates for office.

frogboy · Jan 10, 2018

I got kb4056887 and kb890830 today just now.

DeepWeb · Jan 10, 2018

The article should have given the update number instead of all those CVE's that the average Joe doesn't understand.
Today's update is KB4056887

https://support.microsoft.com/en-us/help/4056887/security-update-for-adobe-flash-player

If you manually downloaded the cumulative update from last week (KB4056892), you already have a big chunk of this week's update.

In addition to the patch, I also got a security update for Adobe Flash and Windows MSRT. So Windows 10 recognized that I had one piece so it downloaded the remaining pieces which is nice! I remember back in Windows 7 when this wouldn't work at all...

Ignore the Logitech driver. I got a new mouse.

Danielx64 · Jan 10, 2018

Anyone know what update I need for the Mailsploit fix?

Search

Microsoft January Patch Tuesday Fixes 56 Security Issues, Including a Zero-Day

LASER_oneXM

Level 37

shmu26

Level 85

shmu26

Level 85

LASER_oneXM

Level 37

shmu26

Level 85

SHvFl

Level 35

frogboy

In memoriam 1961-2018

DeepWeb

Level 25

Danielx64

Level 10

Similar threads