Security Advisor
Microsoft's Light January Patch Includes 1 'Critical' Windows Fix
Today's release also includes a bulletin that addresses the Windows 8.1 zero-day flaw that was discovered by Google.
Microsoft released its first security patch of 2015, and it's a relatively small one. This month features only one security bulletin rated "critical" and seven rated "important" to address a total of eight flaws for Microsoft software and services.
The lone critical item (bulletin MS15-002) is a remote code execution (RCE) fix for all supported Windows and Windows Server versions. The privately reported flaw lies in the Telnet network protocol used to facilitate text communications through a virtual console. According to Microsoft, those who have the service could be attacked if a malicious packet was sent to a Windows Server version with the Telnet service enabled. It's important to note that while installed in Windows Server 2003, the Telnet service is disabled by default. As for Windows OS, the service must be manually downloaded and enabled in Windows Vista and later versions.
While the bulletin is designated the highest severity level from Microsoft, those who might be affected are a small group, according to Qualys CTO Wolfgang Kandek. "If you run the Microsoft Telnet Server this is your top vulnerability this month, especially if exposed to the Internet. At Qualys we do not see many people using Telnet in general, so this vulnerability should be fairly sparse," wrote Kandek in an e-mailed statement.
Important Updates
Those who do not use the Telnet service, but are running Windows 8.1 machines, will find bulletin MS15-001 -- an important fix for a zero-day caching flaw -- the top priority today. While the flaw -- which can lead to an elevation of privilege if a specially crafted code is physically installed and deployed from a system -- is minor in scope, this item has come under controversy due to Google's public disclosure of it. The company released information and proof-of-concept code on the flaw despite Microsoft saying a fix would be coming with today's patch.
Microsoft's January patch also includes six additional important items:
- MS15-003: Closely connected to the flaw associated with bulletin MS15-002, this item aims to fix an elevation of privilege hole in all supported versions of Windows OS and Windows Server.
- MS15-004: As with the previous item, this takes care of a privately reported elevation of privilege flaw in Windows.
- MS15-005: This item addresses a security feature bypass in Windows that could occur if firewall configurations for certain services were altered or disabled.
- MS15-006: Fixes an issue in Windows Error Reporting (WER) that could allow a security feature bypass by an attacker and grant them access to memory of running processes.
- MS15-007: This denial-of-service fix targets a flaw that could be exploited if malicious username strings were sent to either the Internet Authentication Service (IAS) or Network Policy Server (NPS).
- MS15-008: The final item of the month looks to correct an elevation of privilege hole in the Windows WebDAV kernel-mode driver.
Along with today's bulletins, Microsoft has rereleased bulletin MS14-080, a critical cumulative security update that was released in December. The item is being reissued due to some users who experienced crashes when trying to apply it last month.
Fnally, Security Advisory 2755801 has been updated to include the latest fixes for Adobe Flash Player.