Patch Tuesday header

Earlier today, Microsoft published the January 2018 Patch Tuesday security updates, containing fixes for 56 vulnerabilities and three special security advisories with fixes for Adobe Flash, the Meltdown & Spectre flaws, and a defense-in-depth update for Office applications.

This month, things were a little messy. On January 3, Microsoft released an emergency out-of-band security update with fixes for the now infamous Meltdown and Spectre vulnerabilities. That emergency update was supposed to be part of today's Patch Tuesday, so you'll see it in the table below as well.

Besides fixes for the Meltdown and Spectre flaws, the January 3 out-of-band update also contained additional fixes for other security bugs. Those are also included in the table below.

Microsoft patches 0-day in Office Equation Editor component

But while the Meltdown and Spectre bugs seized everyone's attention this past week, today's Patch Tuesday updates deliver important fixes on their own.

The most important of these is a zero-day vulnerability in the Microsoft Office and Microsoft WordPad applications.  Microsoft describes the flaw (CVE-2018-0802) as a memory corruption issue that allows attackers to execute code on a victim's PC. The flaw appears to reside in an old version of the Office Equation Editor component.

Microsoft acknowledged several researchers with discovering the flaw —Qihoo 360, Tencent, 0patch Team, and Check Point— and said

The OS maker addressed the zero-day by removing some of the Equation Editor's functionality.

A security firm pointed out that the Equation Editor was an antiquated and vulnerable component in November 2017. Cybercrime groups quickly moved to exploit the flaw. Now it appears that other groups found new methods to exploit the same component, after previous research pointed out it may be a weak spot in the Office suite.

Microsoft similarly got rid of another feature called Dynamic Data Exchange (DDE) after malware groups began abusing it again, after it previously been abused in the 90s. Microsoft removed DDE only from Word, but not all the entire Office suite.

Patch for Mailsploit attack

Also this month, Microsoft patched the Mailsploit vulnerability in Outlook for Mac (CVE-2018-0819) that allowed miscreants to send emails with spoofed identities.

Microsoft advisory ADV180001 also includes this month's Adobe Flash security updates, consisting of one bugfix for CVE-2018-4871 (out-of-bounds read that leads to information disclosure).

All in all, Microsoft patched bugs in Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, SQL Server, ChakraCore, .NET Framework, .NET Core, and ASP.NET Core.

Below is a table listing of all the security issues Microsoft fixed this month. We used PowerShell and the Microsoft API to assemble the table below, but the report is much longer. We hosted the full report on GitHub, here.

If you're not interested in all security updates and you'd like to filter updates per product, you can use Microsoft's official Security Update Guide, available here.

Tag CVE ID CVE Title
Adobe Flash Player ADV180001 January 2018 Adobe Flash Security Update
Side-Channel ADV180002 Guidance to mitigate speculative execution side-channel vulnerabilities
Microsoft Office ADV180003 Microsoft Office Defense in Depth Update
.NET Framework CVE-2018-0786 .NET Security Feature Bypass Vulnerability
.NET Framework CVE-2018-0764 .NET and .NET Core Denial Of Service Vulnerability
ASP .NET CVE-2018-0784 ASP.NET Core Elevation Of Privilege Vulnerability
ASP.NET CVE-2018-0785 ASP.NET Core Cross Site Request Forgery Vulnerabilty
Graphic Fonts CVE-2018-0788 OpenType Font Driver Elevation of Privilege Vulnerability
Graphic Fonts CVE-2018-0754 OpenType Font Driver Information Disclosure Vulnerability
Microsoft Browsers CVE-2018-0762 Scripting Engine Memory Corruption Vulnerability
Microsoft Browsers CVE-2018-0772 Scripting Engine Memory Corruption Vulnerability
Microsoft Edge CVE-2018-0803 Microsoft Edge Elevation of Privilege Vulnerability
Microsoft Edge CVE-2018-0766 Microsoft Edge Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2018-0750 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2018-0741 Microsoft Color Management Information Disclosure Vulnerability
Microsoft Office CVE-2018-0802 Microsoft Office Memory Corruption Vulnerability
Microsoft Office CVE-2018-0798 Microsoft Office Memory Corruption Vulnerability
Microsoft Office CVE-2018-0801 Microsoft Office Remote Code Execution Vulnerability
Microsoft Office CVE-2018-0791 Microsoft Outlook Remote Code Execution Vulnerability
Microsoft Office CVE-2018-0792 Microsoft Word Remote Code Execution Vulnerability
Microsoft Office CVE-2018-0793 Microsoft Outlook Remote Code Execution Vulnerability
Microsoft Office CVE-2018-0790 Microsoft SharePoint Cross Site Scripting Elevation of Privilege Vulnerability
Microsoft Office CVE-2018-0794 Microsoft Word Remote Code Execution Vulnerability
Microsoft Office CVE-2018-0796 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office CVE-2018-0789 Microsoft SharePoint Elevation of Privilege Vulnerability
Microsoft Office CVE-2018-0812 Microsoft Word Memory Corruption Vulnerability
Microsoft Office CVE-2018-0819 Spoofing Vulnerability in Microsoft Office for MAC
Microsoft Office CVE-2018-0804 Microsoft Word Remote Code Execution Vulnerability
Microsoft Office CVE-2018-0805 Microsoft Word Remote Code Execution Vulnerability
Microsoft Office CVE-2018-0806 Microsoft Word Remote Code Execution Vulnerability
Microsoft Office CVE-2018-0807 Microsoft Word Remote Code Execution Vulnerability
Microsoft Office CVE-2018-0799 Microsoft Access Tampering Vulnerability
Microsoft Office CVE-2018-0795 Microsoft Office Remote Code Execution Vulnerability
Microsoft Office CVE-2018-0797 Microsoft Word Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-0775 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-0818 Scripting Engine Security Feature Bypass
Microsoft Scripting Engine CVE-2018-0770 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-0769 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-0778 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-0780 Scripting Engine Information Disclosure Vulnerability
Microsoft Scripting Engine CVE-2018-0776 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-0777 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-0781 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-0758 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-0773 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-0774 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-0768 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-0800 Scripting Engine Information Disclosure Vulnerability
Microsoft Scripting Engine CVE-2018-0767 Scripting Engine Information Disclosure Vulnerability
Microsoft Windows CVE-2018-0753 Windows IPSec Denial of Service Vulnerability
Windows Kernel CVE-2018-0751 Windows Elevation of Privilege Vulnerability
Windows Kernel CVE-2018-0746 Windows Information Disclosure Vulnerability
Windows Kernel CVE-2018-0744 Windows Elevation of Privilege Vulnerability
Windows Kernel CVE-2018-0745 Windows Information Disclosure Vulnerability
Windows Kernel CVE-2018-0752 Windows Elevation of Privilege Vulnerability
Windows Kernel CVE-2018-0747 Windows Information Disclosure Vulnerability
Windows Kernel CVE-2018-0748 Windows Elevation of Privilege Vulnerability
Windows SMB Server CVE-2018-0749 SMB Server Elevation of Privilege Vulnerability
Windows Subsystem for Linux CVE-2018-0743 Windows Subsystem for Linux Elevation of Privilege Vulnerability

Related Articles:

Microsoft May 2018 Patch Tuesday Fixes 67 Security Issues, Including IE Zero-Day

Microsoft April Patch Tuesday Fixes 66 Security Issues

Microsoft Releases KB4100347, KB4134660, and KB4134661

Microsoft Removes Antivirus Registry Key Check for All Windows Versions

Microsoft Out-Of-Band Security Update Patches Malware Protection Engine Flaw