News

January Patch Tuesday: MS Releases 1 'Critical' Windows Fix

• By Chris Paoli
• 01/13/2015

Microsoft released January's security update today, which includes one security bulletin rated "critical" and seven rated "important" to address a total of eight flaws.

The lone critical item (bulletin MS15-002) is a remote code execution (RCE) fix for all supported Windows and Windows Server versions. The privately reported flaw lies in the Telnet network protocol used to facilitate text communication through a virtual console. According to Microsoft, those that have the service enabled could be attacked if a malicious packet was sent to a Windows Server version with the Telnet service enabled. It's important to note that while installed in Windows Server 2003, the Telnet service is disabled by default. As for Windows OS, the service must be manually downloaded and enabled in Windows Vista and later versions.

While the bulletin is designated the highest severity level from Microsoft, those that may be affected are a small group, according to Qualys CTO Wolfgang Kandek. "If you run the Microsoft Telnet server this is your top vulnerability this month, especially if exposed to the Internet. At Qualys we do not see many people using Telnet in general, so this vulnerability should be fairly sparse," wrote Kandek in an e-mailed statement.

Important Updates
Those who do not use the Telnet service, but are running Windows 8.1 machines, bulletin MS15-001, an important fix for a zero-day caching flaw, will be the top priority today. While the flaw -- which can lead to an elevation of privilege if a specially crafted code is physically installed and deployed from a system -- is minor in scope, this item has come under controversy due to Google's public disclosure of it.  The company released information and proof-of-concept code on the flaw despite Microsoft saying a fix would be coming with today's patch.

Microsoft's January patch also includes six additional important items:

• MS15-003: Closely connected to the flaw associated with bulletin MS15-002, this item aims to fix an elevation of privilege hole in all supported versions of Windows OS and Windows Server.
• MS15-004: As with the previous item, this takes care of a privately reported elevation of privilege flaw in Windows.  
• MS15-005: This item addresses a security feature bypass in Windows that could occur if firewall configurations for certain services were altered or disabled.
• MS15-006: Fixes an issue in Windows Error Reporting (WER) that could allow a security feature bypass by an attacker and grant them access to memory of running processes.
•  MS15-007: This denial-of-service fix targets a flaw that could be exploited if malicious username strings were sent to either the Internet Authentication Service (IAS) or Network Policy Server (NPS).
• MS15-008: The final item of the month looks to correct an elevation of privilege hole in the Windows WebDAV kernel-mode driver.

Along with today's bulletins, Microsoft has also rereleased bulletin MS14-080, a critical cumulative security update that was released in December. The item is being reissued due to some users who experienced crashes when trying to apply it last month.

Fnally, Security Advisory 2755801 has been updated to include the latest fixes for Adobe Flash Player.