February’s Patch Tuesday deals with 50 vulnerabilities in Microsoft Windows, Office and the web browsers.
Fourteen of the security holes have been rated critical, including an information disclosure flaw in Edge, a memory corruption in Outlook, and a remote code execution vulnerability in Windows’ StructuredQuery component among others.
One vulnerability, CVE-2018-0771, ended up publicly disclosed before Microsoft released patches. The issue is a Same-Origin Policy (SOP) bypass that exists due to the way Edge handles requests of different origins.
“An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted,” Microsoft said. The company believes it’s unlikely that this flaw, which it has rated “important,” will be exploited in attacks.
There were Outlook vulnerabilities discovered by Microsoft’s Nicolas Joly. One of the flaws, CVE-2018-0852, can end up leveraged to execute arbitrary code in the context of a user’s session by getting the target to open a specially crafted file with an affected version of Outlook.
The second Outlook vulnerability is a privilege escalation issue, CVE-2018-0850, that can be leveraged to force Outlook to load a local or remote message store. The flaw can be exploited by sending a specially crafted email to an Outlook user.
Microsoft’s Patch Tuesday updates fix 34 important and two moderate severity vulnerabilities.