We’ve known for a while On the second Tuesday of every month we have an appointment with the security patches for Windows and Office: with Swiss punctuality, Microsoft launches that day (known as ‘Patch Tuesday’) a compilation pack of updates that solve all kinds of vulnerabilities of varying severity.

Yesterday, the company did not miss its appointment and released patches for a total of 120 vulnerabilities, 17 of them critical. Taking a look at the list of the same that comes to solve, we find several that allow a potential attacker to take control of your PC just by performing some daily tasksuch as opening a video file, surfing the web, or opening an attachment.

Screenshot 4

Go to the ‘Windows Update’ section in ‘Settings’ → ‘Update and security’ to install the latest security patches.

1. Playing a media file

An incorrect handling of the objects in the Windows Media Foundation memory made it easier to corrupt it and opened the door for an attacker to take advantage of it (by causing the user to access a certain video or audio file) to install programs, access data or create new administrator accounts.

But that was not all: another similar vulnerability in the Windows Codecs Library (this time related to remote code execution) also allowed us to take control of our system.

2. Browsing a website or handling an HTML file

The update also addresses a ‘zero-day’ vulnerability detected by Kaspersky Labs and affecting Internet Explorer 9; Despite its replacement by Microsoft Edge, it is still a component that is installed by default in Windows 10, so the vulnerability has been rated as “critical” by Microsoft.

Seven hackers became millionaires 'hunting' vulnerabilities in 2019: what are the 'bug bounty' programs that make it possible

More specifically, the bug resides in the jscript9.dll file, the browser scripting engine. As in the previous case, a potential memory corruption (triggered by the visualization of a website or an Office document manipulated for this purpose) could give the attacker as many privileges on the system as the current user has.

Another vulnerability, this time related to handling .html files using the system HTML engine (MSHTML.dll, used by various applications, not just Microsoft) also has similar consequences.

3. Reading a PDF file in MS Edge

But the blame does not fall solely on the old Internet Explorer: its successor, Edge, also includes a vulnerability that allows attackers to exploit memory corruption to take control of our system.

In this case, problems appear when viewing a PDF document hosted on a site and specially designed to exploit this vulnerability.

4. Receiving an e-mail in MS Outlook

Guess what? Yes! Also in this case a potential memory problem could leave our computer completely in the hands of an attacker! This time, the problem would be in a malicious attachment that we could open from Microsoft Outlook.

Via | The Hacker News

Share Four ways your Windows could be hacked … and that you will avoid by installing its latest Patch Tuesday patch