The very early reports are in, and it looks like this month’s monstrous panoply of patches isn’t as destructive as last month’s – so far, at least. Aside from a few reported incompatibilities, the big news involves two Outlook security holes that kick in when you download email, or preview a message. There are no known exploits, but if you use Outlook, you need to understand the dangers – and should seriously consider patching sooner rather than later.
First, the blast. Yesterday, Microsoft released its usual Patch Tuesday security updates, which include 50 separately identified security holes (CVEs). Those 50 are in addition to the one Adobe Flash Player security hole, CVE 4074595, that was plugged on Feb. 6. Of the 50, 14 are rated Critical, 34 rated Important (which means they aren’t) and two are Moderate.
As usual, Martin Brinkmann at Ghacks.net has a detailed list.
There are no known exploits in the wild for any of the security holes at this point. But….
Two of the security holes, CVE-2018-0852 and CVE-2018-0850, were both discovered by Microsoft employee Nicolas Joy, both described in full and publicly patched – as opposed to being buried in some nameless update. Dustin Childs, posting on Trend Micro’s Zero Day Initiative web site, explains why they’re so bothersome. Describing the first security hole, Childs says:
What’s truly frightening with this bug is that the Preview Pane is an attack vector, which means simply viewing an email in the Preview Pane could allow code execution. The end user targeted by such an attack doesn’t need to open or click on anything in the email – just view it in the Preview Pane.
For the second security hole:
This bug occurs when an attacker sends a maliciously crafted email to a victim. The email would need to be fashioned in a manner that forces Outlook to load a message store over SMB. Outlook attempts to open the pre-configured message on receipt of the email. You read that right – not viewing, not previewing, but upon receipt. That means there’s a potential for an attacker to exploit this merely by sending an email.
To be really blunt: If you’re using Outlook 2007, 2010, 2013, or 2016 – the installed versions – you’ll be vulnerable to drive-by email attacks by previewing a bad email or just by downloading a rigged email. No, you don’t need to open the email. It just infects.
Fortunately, there aren’t any known exploits. But anyone with installed versions of Outlook should seriously consider installing the patch for Outlook 2007 (KB 4011200, four months beyond its end-of-support date), Outlook 2010 (KB 4011711), Outlook 2013 (KB 4011697), and/or Outlook 2016 (KB 4011682).
If you use Office 2016 Click-to-Run, the patches will appear the next time CtR updates itself, with version 1708 build 8431.2215 in the Semi-Annual Channel and 1705 build 8201.2258 in the Deferred Channel.
If you don’t use Outlook, you needn’t be concerned. The infection vector only passes through Outlook.
Our old favorite snooping nemeses, KB 2952664 (for Win7) and KB 2976978 (for 8.1) make a re-appearance, this time as “Important” and checked. They have a new duty: Starting this month, Microsoft feeds Meltdown/Spectre vulnerability information into its Azure-based Windows Analytics package using telemetry from those patches. If you’re running Windows Analytics and you don’t want to use Steve Gibson’s inSpectre, the patches are worthwhile, snooping and all. If you don’t plan to upgrade to Win10, and don’t care about an Azure-based snooping tool, there’s no reason to install KB 2952664 or KB 2976978 .
Microsoft has also re-released its Security Advisory ADV180002, to announce that it’s slowly dribbling out Meltdown/Spectre protection for 32-bit versions of Windows:
Microsoft has released security updates to provide additional protections for the 32-bit (x86) versions of Windows 10 as follows: 4074596 for Windows 10, 4074591 for Windows 10 Version 1511, 4074590 for Windows 10 Version 1607, and 4074592 for Windows 10 Version 1703. Microsoft recommends that customers running 32-bit systems install the applicable update as soon as possible. Microsoft continues to work to provide 32-bit (x86) protections for other supported Windows versions but does not have a release schedule at this time.
Worth repeating: There are not, and never have been, any Meltdown/Spectre exploits known to be in the wild. If attacks come, they’re far more likely to appear in browsers – and the browser manufacturers have been scurrying to guard against problems. A textbook example of tempest in a patching teapot.
A few additional notes:
- KB 4074588 for Win10 1709 brings the build up to 16299.248 and includes dozens of fixes. That makes four cumulative updates for 1709 in the past month – a whole lotta shakin’ goin’ on since 1709 was declared “ready for business.” The 1709 cumulative update may trigger an erroneous error 0x80070643, a bug that appeared in December and hasn’t yet been fixed.
- Edge took it in the shortlinks. This month saw 14 separately identified security holes, 11 of them rated Critical.
- There are no security patches this month for any of the .NET versions. The “Quality Rollups for .NET” that you see are all bug fixes. Microsoft says that if you want to install the “minimum set of updates” you shouldn’t install any of this month’s .NET patches.
- Some versions of Sandboxie reportedly throw blue screens after installing KB 4074592, the Win10 version 1703 cumulative update. The report says Sandboxie 5.22 and betas 5.23.x have that problem.
- You need the QualityCompat registry key enabled before Windows Update will install any of this month’s Windows updates.
It’s still much too early to give this month’s patches a clean bill of health, but at least we aren’t seeing the mass mayhem that accompanied last month’s patches. If you don’t use the installed version of Outlook, there aren’t any pressing problems. Sit back and wait for the unpaid beta testers’ screams to subside.
Thanks to all of the explorers and explainers on AskWoody — PKCano, MrBrian, Abbodi86, AJNorth, and many others.
Patching problem? Post it on the AskWoody Lounge.