Yes, it was Patch Tuesday, but January was one of the smaller fix days in quite a long time.
In that offering, Microsoft cleared vulnerabilities affecting Windows, Office and the Edge web browser.
The software giant released two critical bulletins, including one that resolves a memory corruption in Office (CVE-2017-0003). The flaw, caused due to the way the software handles objects in memory, can end up leveraged to execute arbitrary code in the context of the current user.
The vulnerability can end up exploited by getting the targeted user to open a specially crafted file or visit a website hosting a malicious file. The issue came to Microsoft via Tony Loi of Fortinet’s FortiGuard Labs.
One of the important bulletins patches a privilege escalation vulnerability in Edge (CVE-2017-0002). The Edge flaw became publicly disclosed before the patch became available.
“An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies with about:blank, which could allow an attacker to access information from one domain and inject it into another domain, Microsoft said in its advisory.
Another important bulletin patches a denial-of-service (DoS) vulnerability caused due to the way the Local Security Authority Subsystem Service (LSASS) in Windows handles authentication requests. The weakness’ case number is CVE-2017-0004.
Researcher Laurent Gaffie found this vulnerability and Microsoft released a fix for it in November. However, an analysis of Gaffie’s PoC code by Nicolás Economou of Core Security helped Microsoft determine that the November update actually patched a different issue. Gaffie’s PoC led to the discovery of two DoS vulnerabilities in LSASS: CVE-2016-7237 and CVE-2017-0004.
The last bulletin released by Microsoft fixes holes in Adobe Flash Player as used in various versions of Windows.
Microsoft has also published an advisory to warn users about a privilege escalation vulnerability affecting .NET Core or .NET Framework projects that use Identity Model Extensions version 5.1.0. The company has advised developers to update their installations to version 5.1.1 or greater.