STE WILLIAMS

Starting tomorrow, Google, which makes most of its money from online advertising, will begin blocking egregious ads in its Chrome browser under limited circumstances – though it would really rather not.

The reason, explained Chrome veep Rahul Roy-Chowdhury in a blog post on Tuesday, is that some ads suck.

“It’s clear that annoying ads degrade what we all love about the web,” he said.

Millions of internet users reached that conclusion years ago and have taken steps to block web ads, often as many as possible rather than the worst of the lot, through the use of ad blocking code in browsers, in apps, and in network hardware.

While the Internet Advertising Bureau maintains that “ad blocking is wrong” and offers tone-deaf advice like urging a data diet to improve page load speed rather than advocating for abstinence from privacy-invasion altogether, Google has grasped the depth and breadth of the resentment created by the ad industry’s unrepentant bad behavior.

The Chocolate Factory aims to mitigate some of the industry’s excesses. It’s not, however, engaging in broad, indiscriminate ad blocking – which is good news because websites including El Reg rely on all you lovely people viewing well-behaved adverts. In our case, it funds our journalism.

The fewer bad ads in general circulation on the internet, as a result of Chrome’s crackdown, the higher the chance people will whitelist sites in their ad-blockers, or disable the plugins, which would be a relief for publishers that rely on web ad sales.

Control

Google dipped its toe in these waters before, starting with the introduction of its Ad Preferences Manager (now called Ad Settings in Google Accounts) in 2009. And in 2012, the ad biz introduced a Mute This Ad button, which the company described as “an early step in the right direction of giving users control over ads.”

It could also have been called a belated step to replicate the mute button already available on many keyboards.

Now the search giant is wading a bit deeper, but just a bit. On Thursday, Chrome will be ready to block ads that fall short of the guidelines established by The Coalition for Better Ads, an advertising and publishing industry group. (And, yes, our ads adhere to these guidelines, so Chrome won’t be eating our revenue.)

The organization’s Better Ads Standards are based on a survey of some 40,000 internet users from North America and Europe. The survey identified these most disliked ad formats:

Mobile:

• Pop-up ads
• Prestitial ads
• Mobile pages with more than 30% ad density
• Flashing animations
• Poststitial ads that require a countdown to dismiss
• Fullscreen scrollover ads
• Large sticky ads
• Auto-playing videos with sound

Desktop:

• Pop-up ads
• Auto-playing videos with sound
• Prestitial ads with a countdown
• Large sticky ads

In a blog post to be published today – provided to The Register in advance – Google engineering manager Chris Bentzel explained that Google evaluates websites by sampling pages for Better Ads Standards violations, grading them with a Passing, Warning, or Failing rating.

An example of Chrome blocking a misbehaving ad … Click to enlarge

From July, Chrome will name and shame insecure HTTP websites

READ MORE

Google is making that rating accessible via its Ad Experience Export API and to site owners through the Ad Experience Report in the Google Search Console. The Silicon Valley giant is also providing a way for site owners to request a re-review of ads, for those who believe they’re not breaking the rules.

Failing sites viewed through Chrome are at risk of having Google block their ads. After 30 days of non-compliance with ad standards, Chrome will check the network requests – e.g. JavaScript or image calls – on sites with pages that fall short of requirements against known ad-related URL patterns. And if there’s a match, the ad will be blocked at a network level and will not display.

“This set of patterns is based on the public EasyList filter rules, and includes patterns matching many ad providers including Google’s own ad platforms, AdSense and DoubleClick,” said Bentzel.

According to Bentzel, if a network request has been blocked, Chrome will alert the user and provide an option to allow ads on the site, with differing notifications for desktop and mobile users. Site owners meanwhile can reform their ads and be free from Google’s meddling.

Google’s goal, says Bentzel, “is not to filter any ads at all but to improve the experience for all web users.” By highlighting crap online adverts, website owners will be encouraged to up their game, in other words. And ad networks competing against Google that sling crappy internet advertising around will gradually feel the wrath of Chrome. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/14/google_chrome_ad_blocking/

Kaspersky Lab, the antivirus house, now claims that the US government’s ban on its products amounts to punishment without trial.

In court filings made late last year Kaspersky said it was intending to use the US Administrative Procedure Act to get the ban declared unconstitutional. Now, according to local reports, the Russian company is bringing the US Constitution’s Bill of Attainder clause, which forbids punishment without trial, into play to bolster its legal arguments.

The American Department of Homeland Security (DHS) banned the use of Kaspersky products in September 2017 across the entire US government.

Controversy had arisen in American governmental circles that a National Security Agency contractor (NSA – a snooping agency like Britain’s GCHQ but better scrutinised) who took his work home with him had leaked software exploits intended to be used for hacking by US government agents thanks to an unintentional upload to the Kaspersky cloud. The Americans convinced themselves that Russian-owned Kaspersky had given access to these exploits to Kremlin intelligence services, though the company denies this.

Not long after the ban, GCHQ in the UK issued a similar order to government departments over here for information classified as Secret or above.

Kaspersky’s PR firm told The Register today: “Kaspersky Lab maintains that the DHS decision is unconstitutional and relied on subjective, non-technical public sources, such as uncorroborated and often anonymously sourced media reports, related claims, and rumors. Furthermore, DHS has failed to provide the company adequate due process to rebut the unsubstantiated allegations underlying the BOD and has not provided any evidence of wrongdoing by the company.”

America is becoming increasingly allergic to foreign tech companies’ wares, on the grounds that what its spies euphemistically call “computer network exploitation” might come home to roost. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/14/kaspersky_us_ban_legal_fight/

What’s This?

Many organizations impacted by new European Union data privacy rules that go into effect May 25 are still blind to some of the basics.

On May 25, the European Union’s General Data Protection Regulation (GDPR) goes into effect. The transformative new law is expected to have a profound impact on how businesses the world over collect, manage, and defend their data. But while companies have had more than two years to prepare for the ground-breaking legislation – passed in late 2015 –, today many organization that will be impacted most by the new rules are still blind to some of the basics.

For starters, despite being drafted and enforced by the European Commission, the GDPR  represents the first global mandate on data protection. That’s because in the age of big data and widespread connectivity, almost every business today is global in scope and data-driven to some extent. Consequently, there are few companies that won’t need to adjust their policies over the next few months.

Better Late than Never

Where to begin? Bearing in mind that almost all businesses will be touched by the legislation, security teams the world over can start with this three-pronged approach:

Step 1: Assess and audit your data posture
Incremental changes to an existing operational structure can be costlier than reevaluating your approach to data collection and storage from the top-down. Businesses should know where and how they are storing data, if it is encrypted, and if the encryption keys are stored appropriately. Businesses should do this now while they still have time rather than making “knee-jerk” changes once GDPR is active.

If your company isn’t already implementing audit trails to keep track of where the larger business stands on compliance, this should be your first step. Audit trails assure that no one is resting on their laurels by giving teams necessary “checks-and-balances” in the lead up to the May deadline. These records can be used to hold individuals across the organization accountable, and to assure that they are meeting deadlines by creating a paper trail of activity. IT can reference these trails incrementally in the weeks leading up to the GDPR deadline to get a pulse-check on the overall status of the transition.

Step 2: Re-evaluate systems and technology
Many existing information security systems will need to be restructured or reconsidered to comply with the new GDPR  standard. Organizations that rely solely on next-generation firewalls, for instance, won’t be putting enough protections around user data to adequately block theft on the way out. Even proprietary encryption techniques designed by an organization’s IT team may not be as robust as the latest industry standards once compliance becomes an issue. Businesses should look to source technologies built for modern distributed mobile environments, where data can be stored and accessed in a multitude of ways. Solutions that find, encrypt and/or anonymize PII data could become crucial for limiting GDPR fines after a data breach.

Reporting and monitoring of traffic and the exchange of data should also be automated, and easy-to-access – not to mention easy-to-use – since staff at various levels of the corporate totem pole with varied technical expertise will be accessing this information to assure GDPR.

Step 3: Align business goals across the organization
Data collection and storage policies need to be transparent across the business to assure that proper checks and balances are in place. Historically, this knowledge only tends to fall on IT and security administrators, but given the high-stakes of noncompliance with GDPR, the burden needs to fall on all employees across the organization. GDPR gives businesses the opportunity to replace legacy processes that had presented communication challenges in the past. Since adhering to GDPR requires buy-in across the organization, issues that were once relegated to dark corners of the company should be top-of-mind throughout.

Hopefully, bearing these approaches in mind and viewing GDPR as an opportunity – not a burden – will set organizations for success as the May 25th deadline for compliance approaches.

Simon Eappariello is the senior vice president of product and engineering, EMIA at iboss. He has a long history working in cybersecurity, networking, and information technology for global organizations in both the private and public sectors. Simon heads up iboss engineering … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/iboss/the-gdpr-clock-is-running-out-now-what-/a/d-id/1331030?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft’s added a Meltdown-and-Spectre detector to Windows Analytics, the company’s telemetry analysis tool for sysadmins.

The new version of the tool arrived on Tuesday, when Redmond revealed new features to check antivirus status, operating system update level, and firmware status.

Sysadmins weary from gazing at users’ blue screens will, we guess, welcome the OS status check, because if they’ve got a misbehaving Meltdown/Spectre patch it lets them disable it.

The antivirus check tells you whether your antivirus software is incompatible with patched boxen.

For now the tool can only check firmware status for Intel silicon. Which is handy given Intel’s firmware was pulled a couple of weeks back because it was BSODing users. The Intel-only offer is no slight to AMD users, as that company took a few years off from the server silicon until 2017 and has small desktop market share.

The tools can peer into Windows 7 through Windows 10 if users are running the February 2018 patch levels (Win7 SP1, KB2952664; Win8.1, KB2976978; and for Win10, KB4033631). ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/14/meltdown_and_spectre_detector_for_windows_analytics/

Developers working with OpenSSL can finally start to work with TLS 1.3, thanks to the alpha version of OpenSSL 1.1.1 that landed yesterday.

Getting TLS 1.3 into users hands and working with infrastructure has been a long, slow process: the first version of its Internet-Draft dates back to April 2014, it reached version 23 in January of this year, and there’s still work to come.

As Hackers.mu developer Logan Velvindron explained to us last October, so-called “middleboxes” can still break when confronted with a TLS 1.3 session. Tests conducted by the IETF working group in December 2017 showed around a 3.25 percent failure rate of TLS 1.3 client connections.

The OpenSSL developers say version 1.1.1 is binary and API compatible with the current version, 1.1.0, so it should act as a “drop in” replacement to let developers use TLS 1.3.

Is anything that simple? Of course not – this is an alpha after all. OpenSSL’s announcement says that for now version 1.1.1 “should not be used for security critical purposes”.

The big change from TLS 1.2 to TLS 1.3 is that the new version will deprecate old cryptographic algorithms entirely, instead of allowing them to be configured into an operational system.

Cloudflare blogged in September 2016 (when the optimistic hope was that the spec would be finalised by December 2016), that there’s an extensive list of potential holes that the new TLS version will bury forever.

As that post explained, RSA key transport (which lacks forward secrecy), CBC mode ciphers (BEAST attacks, anyone?), the insecure RC4 stream cipher and the ancient SHA-1, a Diffie-Hellman slip up, and the FREAK/Logjam bugs are all deprecated, rather than hanging around awaiting a developer’s configuration error.

There’s more than TLS 1.3 in the OpenSSL release. Other features highlighted by the dev team include implementing SHA3 and multi-prime RSA; support for the SipHash set of pseudorandom functions; and a “grand redesign” of the OpenSSL random number generator. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/14/openssl_1_1_1_alpha_adds_tls_1_3_support/

Microsoft’s wanted a really good federated identity scheme ever since the early 2000s, when it gave the world Project Hailstorm, aka “.Net My Services”, to let a web of online services know a little about you and the information you are happy to share with others.

Hailstorm passed, swept back years later as Geneva Server and now seems to have found its way into a blockchain-powered conceptual heir that Microsoft’s now named “Decentralized Digital Identities” .

Alex Simons, director of program management in Microsoft’s Identity Division has revealed that “Over the last 12 months we’ve invested in incubating a set of ideas for using Blockchain (and other distributed ledger technologies) to create new types of digital identities, identities designed from the ground up to enhance personal privacy, security and control.”

Microsoft’s identity ambitions, he wrote, now centre on user-controlled-and-owned Decentralized ID schemes so that a single data breach can’t give crooks the keys to your kingdom.

“After examining decentralized storage systems, consensus protocols, blockchains, and a variety of emerging standards we believe blockchain technology and protocols are well suited for enabling Decentralized ID,” he wrote.

Failure to launch

But like so many others considering blockchain, Microsoft has hit upon scaling problems.

“While some blockchain communities have increased on-chain transaction capacity (e.g. blocksize increases), this approach generally degrades the decentralized state of the network and cannot reach the millions of transactions per second the system would generate at world-scale,” Simons wrote. “To overcome these technical barriers, we are collaborating on decentralized Layer 2 protocols that run atop these public blockchains to achieve global scale, while preserving the attributes of a world class DID system.”

Blockheads changing company names to surf crypto wave get a warning from the SEC

READ MORE

Microsoft’s not detailed what that work will entail, but has said that its Authenticator app will soon support Decentralized Identitie.

“With consent, Microsoft Authenticator will be able to act as your User Agent to manage identity data and cryptographic keys. In this design, only the ID is rooted on chain. Identity data is stored in an off-chain ID Hub (that Microsoft can’t see) encrypted using these cryptographic keys,” Simons wrote.

Simons didn’t offer a timeline for Microsoft’s contributions, but we imagine they will be eagerly awaited given blockchain transaction times have already seen prominent vendors – Microsoft included – bail from offering pay-by-bitcoin on their online stores. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/14/microsoft_blockchain/

Telegram has fixed a security flaw in its desktop app that hackers spent several months exploiting to install remote-control malware and cryptocurrency miners on vulnerable Windows PCs.

The programming cockup was spotted by researchers at Kaspersky in October. It is believed miscreants have been leveraging the bug since at least March. The vulnerability stems from how its online chat app handles Unicode characters for languages that are read right-to-left, such as Hebrew and Arabic.

A JavaScript file could be sent as a message attachment to a victim, with the filename crafted to exploit the Unicode bug and cover up the fact it’s a .js document. This tricks the mark into opening what appears to be a safe .png attachment. Windows asks the victim if they are sure they want to open the JavaScript file: if they select “Run,” or configure their PC to not bother asking, then the script is executed, and malware is downloaded and run.

This software nasty can open a backdoor, snoop on the mark, mine alt-coins, and so on. Telegram has, we’re told, corrected the mistake in its open-source application.

“The special nonprinting right-to-left override (RLO) character is used to reverse the order of the characters that come after that character in the string,” Kaspersky’s Alexey Firsh explained today.

“In the Unicode character table, it is represented as ‘U+202E’; one area of legitimate use is when typing Arabic text.

“In an attack, this character can be used to mislead the victim. It is usually used when displaying the name and extension of an executable file: a piece of software vulnerable to this sort of attack will display the filename incompletely or in reverse.”

Insecurity via obfuscation … A .JS file disguised as a .PNG using Telegram’s Unicode handling bug

The Kaspersky crew discovered hackers exploiting this blunder in a number of ways. First off it was being used to trick victims into installing a remote-access trojan that would regularly ping Russian servers, and opened a backdoor so that miscreants to remotely control the infected system.

In keeping with current trends, hackers were also using the security hole to install multiple copies of cyber-cash mining software that crafted Zcash, Fantomcoin and Monero coins.

“It appears that only Russian cybercriminals were aware of this vulnerability, with all the exploitation cases that we detected occurring in Russia. Also, while conducting a detailed research of these attacks we discovered a lot of artifacts that pointed to involvement by Russian cybercriminals,” Firsh’s advisory read.

“We don’t have exact information about how long and which versions of the Telegram products were affected by the vulnerability. What we do know is that its exploitation in Windows clients began in March 2017. We informed the Telegram developers of the problem, and the vulnerability no longer occurs in Telegram’s products.”

It has been less than a year since the last big Telegram flaw, and there have been persistent questions about its security. The fact it doesn’t encrypt messages end-to-end by default, and that it uses its own homegrown cryptography, worries experts. Telegram insists its software is secure.

Activists in repressive regimes may want to use something more tried-and-tested, such as Signal, to avoid accidentally beating themselves to death while committing suicide. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/13/telegram_messaging_app_bug/

Western Union has confirmed one of its IT suppliers was hacked, and that customer information was exposed to miscreants.

A Register reader, who wished to remain anonymous, showed us a copy of a letter dated January 31 that he received from the money-transfer outfit. The missive admitted that a supposedly secure data storage company used by Western Union was compromised: a database full of the wire-transfer giant’s customer records was vulnerable to plundering, and hackers were quick to oblige.

“We have discovered that some of your information may have been accessed without authorization as a result of a computer intrusion against an external vendor system formerly used by Western Union for secure data storage,” the letter read.

“We promptly moved our external secure storage to a different vendor’s system. We immediately notified law enforcement, and are actively cooperating with its investigation. Expert assistance was also immediately engaged to determine what personal information may have been compromised.”

In other words, it sounds as though a cloud-based or off-site backup storage provider was hacked. Now that system has been shut down, the cops alerted, and digital forensics teams are probing the network intrusion.

Suspicious

“Upon detecting suspicious activity, Western Union permanently discontinued all use of the vendor’s system and the system was taken offline,” a spokesperson for Western Union told The Register today.

“Western Union took immediate action upon learning of this intrusion to notify law enforcement authorities. The company has notified affected individuals and regulators as appropriate. Affected individuals received a customized notification that explains the specific types of his or her personal data that may have been affected.”

According to the letter, the storage archive contained customers’ contact details, bank names, Western Union internal customer ID numbers, as well as transaction amounts, times and identification numbers. Credit card data was definitely not taken, it stressed.

El Reg tweeted a redacted copy of the letter earlier this week:

@WesternUnion has been sending out letters warning of a computer security hack, blaming 3rd party data storage. Which vendor could it be? pic.twitter.com/W8L5ZOadTx

— The Register (@TheRegister) February 12, 2018

The red-faced biz was quick to point out that none of its internal payment or financial systems were affected in the attack. It also isn’t saying who the third-party storage supplier was, giving other customers of the slovenly provider time to check whether or not they have been hacked too.

Western Union says that, so far, it isn’t aware of any fraudulent activity stemming from the data security cockup, but just to be on the safe side it is enrolling affected customers in a year of free identity-fraud protection. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/13/western_union_storage_hack/

Patch Tuesday Serious security flaws in Outlook and Edge are headlining a busy Microsoft Patch Tuesday.

The Redmond giant has issued the February edition of its monthly security update, addressing a total of 50 CVE-listed vulnerabilities in its products. Adobe has also posted an update for flaws in Reader and Experience Manager.

Microsoft, my bloody (insecure) valentine

Headlining the Microsoft patch load is a fix for an Outlook bug, CVE-2018-0852, which is a memory corruption flaw that can be exploited to achieve remote code execution.

Opening a maliciously crafted message attachment or viewing it in the Outlook Preview window pane is enough to trigger the bug and allow nasty code within the file to start running. This code can start installing malware or attempt to hijack the whole machine, and so on.

Microsoft explained in its advisory:

Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.

Infosec bods noted that, though the flaw is not right now being exploited in the wild, patching it should be a top priority for admins.

“This bug allows an attacker to get code execution through vulnerable versions of Microsoft Outlook,” wrote Dustin Childs of Zero Day Initiative.

“What’s truly frightening with this bug is that the Preview Pane is an attack vector, which means simply viewing an email in the Preview Pane could allow code execution.”

Another Outlook programming cockup fixed this month, CVE-2018-0850, is a bonkers elevation-of-privilege bug triggered when the email client receives a specially crafted message that forces it to load a message store over SMB from a local or remote server. Because the flaw can be exploited when the message is merely received, before it is even opened, the attack could take place without any user interaction.

“To exploit the vulnerability, the attacker could send a specially crafted email to a victim,” Microsoft explained. “Outlook would then attempt to open a pre-configured message store contained in the email upon receipt of the email. This update addresses the vulnerability by ensuring Office fully validates incoming email formatting before processing message content.”

Best patch that security blunder as soon as possible, too. Both bugs were found and reported by Nicolas Joly of Pwn2Own fame.

As per usual, the Edge and Internet Explorer browsers each collected a number of bug fixes, both for exploitable flaws in the browsers themselves and in their scripting engines. In all 11 different CVE-listed memory corruption vulnerabilities, allowing for full remote code execution by malicious webpages, were disclosed and patched.

Visiting a booby-trapped website is enough to exploit these holes, and allow malware to run on your Windows system, so get patching as soon as possible, please.

Edge was also the subject of the lone publicly-disclosed flaw for this month. CVE-2018-0771 is a bypass for the browser’s Same-Origin Policy (SOP) settings. An attacker could craft a webpage to bypass the SOP restrictions and get the browser to send data like cookies from other sites.

“While interesting from a technical viewpoint,” said Childs, “this is not as likely to see much use outside of very targeted attacks in the wild.”

Other problems in Edge include a pair of information disclosure flaws (CVE-2018-0763 and CVE-2018-0839), while Internet Explorer got a patch to address CVE-2018-0847, a bug that would let a webpage use VBScript to pull stored information from memory.

CVE-2018-0825 is a remote code execution flaw in the StructuredQuery component for Windows and Windows Server that can be exploited via either a malicious web page or an email attachment.

Windows Kernel was on the receiving end of patches for 10 different CVE listings, including five elevation of privilege flaws and five information disclosure vulnerabilities. Each of those could be exploited locally by a malicious application to gain sufficient powers to commandeer the whole machine.

Office, meanwhile, was on the receiving end of fixes for CVE-2018-0841, a remote code execution hole exploited through dodgy Excel spreadsheets, CVE-2018-0851, a remote code flaw targeted by any kind of Office document, and CVE-2018-0853, an information flaw that lets Office documents read out of bound memory contents.

Skype bug goes unpatched

One bug that won’t be fixed is a DLL hijacking issue in Skype that was discovered and reported by researcher Stefan Nanthak back in September. He claims the bug, which can be exploited by a local user to gain system-level privileges, has not been patched because Microsoft didn’t want to commit to the “large code revision” needed to address DLL injection.

We’ve asked Microsoft for comment on the matter.

Massive patch for Reader and Acrobat

Adobe also has a major release for February. The Reader and Acrobat apps for both Windows and MacOS have been updated to address 39 CVE-listed flaws.

Of those, 24 address remote code execution from out of bounds read errors, seven cover arbitrary code execution via out of bounds write errors, five address use-after free arbitrary code execution bugs, five cover use-after-free bugs, and four cover heap overflow vulnerabilities. One other flaw, CVE-2018-4872, addresses a security bypass error that allows privilege escalation.

Opening booby-trapped documents is enough to exploit these flaws to execute malicious code on a vulnerable system.

Those running the Adobe Experience Manager content management system will also need to install an update that addresses a pair of cross-site scripting flaws, CVE-2018-4875 and CVE-2018-4876. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/14/patch_tuesday_microsoft_adobe/

February security patches include updates for 50 vulnerabilities, 14 of which are critical.

A critical memory corruption vulnerability in Microsoft Outlook that can be exploited via the Preview Pane feature of the email program was fixed today amid a flurry of patches in Microsoft’s February Patch Tuesday security update.

The Outlook flaw (CVE-2018-0852) could be exploited by an attacker to execute malicious code remotely, and if the victim user operates with administrative user rights, the attacker could wrest control of the entire system, Microsoft said in the security update.

Microsoft this month overall has issued patches for some 50 vulnerabilities, including 14 flagged as critical.

Dustin Childs, communications manager for Trend Micro’s ZDI team, says the Outlook flaw should be a priority, especially since merely viewing a malicious email in the Preview Pane could allow the attack to execute. “Even more than the publicly known bugs, this CVE falls into the “Patch Now!” category,” Childs wrote in a blog post today. “The end user targeted by such an attack doesn’t need to open or click on anything in the email – just view it in the Preview Pane. If this bug turns into active exploits – and with this attack vector, exploit writers will certainly try – unpatched systems will definitely suffer.”

Microsoft also patched a second Outlook flaw, an elevation of privilege bug, that (CVE-2018-0850) tied to Outlook’s processing of incoming messages. It doesn’t properly validate the email format, so an attacker could use that flaw to “load a local or remote message store” via SMB, according to Microsoft. An attacker would have to send a malicious email to the victim to initiate the attack.

 

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/microsoft-fixes-two-security-flaws-in-outlook-/d/d-id/1331054?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple