Today’s VERT Alert addresses the remainder of the Microsoft January 2018 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-760 on Wednesday, January 10th.
In-The-Wild & Disclosed CVEs
A malicious file could cause code execution due to Microsoft Office Equation Editor’s failure to properly handle objects in memory. Successful exploitation could lead to a full compromise of the account running Microsoft Office. This vulnerability was resolved by removing the equation editor functionality. Microsoft has reported that this vulnerability has been actively exploited.
Microsoft has rated this as a 3 on the Exploitability Index (Exploitation Unlikely)
A specially crafted email could be improperly parsed by Microsoft Outlook for Mac, leading to the spoofing of the displayed email address. This could impact some antivirus and antispam software.
Microsoft has rated this as a 2 on the Exploitability Index (Exploitation Less Likely)
In addition to the Microsoft vulnerabilities included in the January Security Guidance, a number of security advisories were also made available.
January 2018 Adobe Flash Security Update [ADV180001]
Microsoft has released updates for Adobe Flash. These correspond with Adobe Update APSB18-01. This includes a fix for CVE-2018-4871.
Microsoft Office Defense in Depth Update [ADV180003]
Microsoft has released a defense in depth update for Microsoft Office, at this time details on these measures are not yet available.