Today’s VERT Alert addresses the remainder of the Microsoft
January 2018 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-760 on Wednesday, January 10th.
In-The-Wild & Disclosed CVEs
A malicious file could cause code execution due to Microsoft Office Equation Editor’s failure to properly handle objects in memory. Successful exploitation could lead to a full compromise of the account running Microsoft Office. This vulnerability was resolved by removing the equation editor functionality. Microsoft has reported that this vulnerability has been actively exploited.
Microsoft has rated this as a 3 on the
Exploitability Index (Exploitation Unlikely)
A specially crafted email could be improperly parsed by Microsoft Outlook for Mac, leading to the spoofing of the displayed email address. This could impact some antivirus and antispam software.
Microsoft has rated this as a 2 on the
Exploitability Index (Exploitation Less Likely)
Other Information
In addition to the Microsoft vulnerabilities included in the January Security Guidance, a number of security advisories were also made available.
Microsoft has released updates for Adobe Flash. These correspond with Adobe Update
APSB18-01. This includes a fix for CVE-2018-4871.
Microsoft has released a defense in depth update for Microsoft Office, at this time details on these measures are not yet available.