Of note are three vulnerabilities:
- CVE-2018-0852: A memory corruption vulnerability in Microsoft Outlook that, when exploited successfully, can let attackers run arbitrary code. What’s notable with this flaw is that Outlook’s Preview Pane can become an attack vector — the would-be victim need only receive a preconfigured message for malicious code to run. If logged on with administrative rights, it can enable hackers to hijack the system, such as installing programs, viewing, altering or deleting data, or creating privileged user accounts. The malicious file can also be hosted on an attacker-owned or compromised website, in which case the hacker would have to trick users into clicking a link that will divert victims to the site.
- CVE-2018-0850: A privilege escalation flaw in Microsoft Outlook. The vulnerability can be exploited through an especially crafted email designed to force Outlook to load local or remote messages over Server Message Block (SMB).
- CVE-2018-0771: A security feature bypass vulnerability in Microsoft Edge. When exploited successfully, Microsoft Edge will be able to circumvent Same-Origin Policy (SOP) restrictions, which prevent a website’s scripts (i.e., JavaScript, Ajax) from accessing sensitive data from and interacting with other scripts used on other websites.
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/february-patch-tuesday-bouquet-fixes-privilege-escalation-vulnerabilities/
沒有留言:
張貼留言