Earlier today, Microsoft published the January 2018 Patch Tuesday security updates, containing fixes for 56 vulnerabilities and three special security advisories with fixes for Adobe Flash, the Meltdown & Spectre flaws, and a defense-in-depth update for Office applications.
This month, things were a little messy. On January 3, Microsoft released an emergency out-of-band security update with fixes for the now infamous Meltdown and Spectre vulnerabilities. That emergency update was supposed to be part of today's Patch Tuesday, so you'll see it in the table below as well.
Besides fixes for the Meltdown and Spectre flaws, the January 3 out-of-band update also contained additional fixes for other security bugs. Those are also included in the table below.
Microsoft patches 0-day in Office Equation Editor component
But while the Meltdown and Spectre bugs seized everyone's attention this past week, today's Patch Tuesday updates deliver important fixes on their own.
The most important of these is a zero-day vulnerability in the Microsoft Office and Microsoft WordPad applications. Microsoft describes the flaw (CVE-2018-0802) as a memory corruption issue that allows attackers to execute code on a victim's PC. The flaw appears to reside in an old version of the Office Equation Editor component.
Microsoft acknowledged several researchers with discovering the flaw —Qihoo 360, Tencent, 0patch Team, and Check Point— and said
The OS maker addressed the zero-day by removing some of the Equation Editor's functionality.
A security firm pointed out that the Equation Editor was an antiquated and vulnerable component in November 2017. Cybercrime groups quickly moved to exploit the flaw. Now it appears that other groups found new methods to exploit the same component, after previous research pointed out it may be a weak spot in the Office suite.
Patch for Mailsploit attack
Also this month, Microsoft patched the Mailsploit vulnerability in Outlook for Mac (CVE-2018-0819) that allowed miscreants to send emails with spoofed identities.
Microsoft advisory ADV180001 also includes this month's Adobe Flash security updates, consisting of one bugfix for CVE-2018-4871 (out-of-bounds read that leads to information disclosure).
All in all, Microsoft patched bugs in Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, SQL Server, ChakraCore, .NET Framework, .NET Core, and ASP.NET Core.
Below is a table listing of all the security issues Microsoft fixed this month. We used PowerShell and the Microsoft API to assemble the table below, but the report is much longer. We hosted the full report on GitHub, here.
If you're not interested in all security updates and you'd like to filter updates per product, you can use Microsoft's official Security Update Guide, available here.