Microsoft January Patch Tuesday Fixes 56 Security Issues, Including a Zero-Day

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Earlier today, Microsoft published the January 2018 Patch Tuesday security updates, containing fixes for 56 vulnerabilities and three special security advisories with fixes for Adobe Flash, the Meltdown & Spectre flaws, and a defense-in-depth update for Office applications.

This month, things were a little messy. On January 3, Microsoft released an emergency out-of-band security update with fixes for the now infamous Meltdown and Spectre vulnerabilities. That emergency update was supposed to be part of today's Patch Tuesday, so you'll see it in the table below as well.

Besides fixes for the Meltdown and Spectre flaws, the January 3 out-of-band update also contained additional fixes for other security bugs. Those are also included in the table below.
Click to expand...

Microsoft patches 0-day in Office Equation Editor component
But while the Meltdown and Spectre bugs seized everyone's attention this past week, today's Patch Tuesday updates deliver important fixes on their own.

The most important of these is a zero-day vulnerability in the Microsoft Office and Microsoft WordPad applications. Microsoft describes the flaw (CVE-2018-0802) as a memory corruption issue that allows attackers to execute code on a victim's PC. The flaw appears to reside in an old version of the Office Equation Editor component.

Microsoft acknowledged several researchers with discovering the flaw —Qihoo 360, Tencent, 0patch Team, and Check Point— and said

The OS maker addressed the zero-day by removing some of the Equation Editor's functionality.

A security firm pointed out that the Equation Editor was an antiquated and vulnerable component in November 2017. Cybercrime groups quickly moved to exploit the flaw. Now it appears that other groups found new methods to exploit the same component, after previous research pointed out it may be a weak spot in the Office suite.
Click to expand...

Patch for Mailsploit attack
Also this month, Microsoft patched the Mailsploit vulnerability in Outlook for Mac (CVE-2018-0819) that allowed miscreants to send emails with spoofed identities.

Microsoft advisory ADV180001 also includes this month's Adobe Flash security updates, consisting of one bugfix for CVE-2018-4871 (out-of-bounds read that leads to information disclosure).

All in all, Microsoft patched bugs in Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, SQL Server, ChakraCore, .NET Framework, .NET Core, and ASP.NET Core.

Below is a table listing of all the security issues Microsoft fixed this month. We used PowerShell and the Microsoft API to assemble the table below, but the report is much longer. We hosted the full report on GitHub, here.

If you're not interested in all security updates and you'd like to filter updates per product, you can use Microsoft's official Security Update Guide, available here.

......
...
.......
....
......
..
.........
Click to expand...
 
  • Like
Reactions: brambedkar59, Marko :), frogboy and 7 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
I got windows and office updates on jan 3-4, and only office updates on jan 9-10.
Am I missing anything?
My AV is windows defender, so I should be getting whatever microsoft has to give...
Win 10 pro x64 RS3
 
  • Like
Reactions: brambedkar59, Marko :), frogboy and 3 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
shmu26 said:
I got windows and office updates on jan 3-4, and only office updates on jan 9-10.
Am I missing anything?
My AV is windows defender, so I should be getting whatever microsoft has to give...
Win 10 pro x64 RS3
Click to expand...
To answer my own question, it looks like only windows 7 got updates on jan 9.
Win 10 did not get anything new.
 
  • Like
Reactions: brambedkar59, Marko :), SHvFl and 1 other person
DeepWeb

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
The article should have given the update number instead of all those CVE's that the average Joe doesn't understand.
Today's update is KB4056887

https://support.microsoft.com/en-us/help/4056887/security-update-for-adobe-flash-player

If you manually downloaded the cumulative update from last week (KB4056892), you already have a big chunk of this week's update. (y)
FXp2Anc.jpg

In addition to the patch, I also got a security update for Adobe Flash and Windows MSRT. So Windows 10 recognized that I had one piece so it downloaded the remaining pieces which is nice! I remember back in Windows 7 when this wouldn't work at all...

Ignore the Logitech driver. I got a new mouse.
 
  • Like
Reactions: brambedkar59, Marko :), shmu26 and 1 other person
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
Microsoft September 2023 Patch Tuesday fixes 2 zero-days, 59 flaws
Replies
2
Views
1,512
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • +Reputation
    • Like
    • Applause
Security News Microsoft April 2024 Patch Tuesday fixes 150 security flaws, 67 RCEs
Replies
3
Views
1,038
Security News
Gandalf_The_Grey
Gandalf_The_Grey
silversurfer
    • Like
    • +Reputation
    • Thanks
New Update Windows 10 January 2024 Patch Tuesday (KB5034122)
Replies
0
Views
592
Windows 10
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top