Our “Outlook” on February Patch Tuesday

Our “Outlook” on February Patch Tuesday

Our “Outlook” on February Patch Tuesday

With stability restored from last month’s Meltdown and Spectre patches, we’ve resumed 100% patching just in time for some big hitters this month.

Microsoft issued 50 security fixes this month as part of February’s Patch Tuesday release. These patches cover vulnerabilities in Windows, Office, Internet Explorer, Edge and its JavaScript engine ChakraCore. One public disclosure was released (CVE-2018-0771) and 14 vulnerabilities were labelled as critical.

It’s worth noting that Apple also released patches for its products this month, including macOS, iOS and iTunes to address a variety of issues. This includes a fix for Meltdown. Prior to these patches, Apple users would have had to upgrade the entire OS to address the CPU bug.

Our Picks to Prioritise…

A few patches deserve a closer look this month given their criticality and likeliness of exploit, particularly those relating to Microsoft Outlook.

CVE-2018-0852 – Microsoft Outlook Memory Corruption Vulnerability

Whilst publicly known vulnerabilities are usually the priority, we’re putting this to the top of the list to patch! According to Microsoft, this bug allows an attacker to run arbitrary code through vulnerable versions of Microsoft Outlook. What is really concerning about this bug is that the preview pane is an attack vector. What does this mean? Well, simply viewing an email in the preview pane could allow code execution! Yes, you read that right… the end user doesn’t need to open or click on anything in the email – just view it in the preview pane. If this bug turns into an active exploit, unpatched systems will pay the price.

CVE-2018-0771 – Microsoft Edge Security Feature Bypass Vulnerability

The only bug listed as publicly known for February involves the Edge browser. According to Microsoft, this bug could allow an attacker to bypass Same-Origin Policy (SOP) restrictions and allow requests that should otherwise be ignored. The result of this attack would force the browser to disclose information it normally wouldn’t. This is interesting for the techies out there, but is not as likely to be used outside of extremely targeted attacks in the wild (if you who haven’t set your social media profile to private, consider yourself at risk as one of those targets).

CVE-2018-0850 – Microsoft Outlook Elevation of Privilege Vulnerability

This bug occurs when an attacker sends a maliciously crafted email to a victim. The email would need to be crafted in a way that forces Outlook to load a message store over SMB. Outlook attempts to open the pre-configured message on receipt of the email. This means that by just receiving the mail, an attacker can exploit the system. Between this bug and CVE-2018-0852, it’s not a great month for mail clients. Our advice? Patch now!


Last month we had seen a multitude of issues as Microsoft released patches in the aftermath of Meltdown and Spectre. We strongly advocate testing patches internally, but don’t procrastinate on patching production systems. Our prediction is that the Outlook vulnerabilities will be exploited sooner rather than later and you don’t want to be caught out!

— Sophie McDonald, Options Security Specialist

Leave a Reply

Your email address will not be published. Required fields are marked *