Microsoft’s January 2015 patch Tuesday marks the start of a new era. It seems that Microsoft’s trend towards openness in security has reversed and the company that was formerly doing so much right, is taking a less open stance with patch information. It is extremely hard to see how this benefits anyone, other than, maybe who is responsible for support revenue targets for Microsoft.
What this means is that the world at large is getting their first look at understandable information about this round of patches 30 minutes after the automatic updates to fix those patches were triggered by Microsoft. Assuming you have automatic updates set to almost constant checking, and the affected platforms are supported by automatic patching, you might already be patched.
This is a controversial month for Microsoft beyond their changes to their Advance Notification service they have been publicly sparring with security researchers over disclosure procedures. It’s amusing to note, if this sort of thing amuses you, that MS15-001 and MS15-003 confirm that the vulnerability is public, but under acknowledgements simply state “Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure.”
For the rest of the world, we found out after the patches were flying around that Microsoft if fixing 8 issues today, here’s what they look like.
Overall, it’s a low threat month, there is just a single vulnerability marked as Critical with risk of remote code execution and that is MS15-002, which affects Telnet. This risk is mitigated by the fact that only Windows Server 2003 has Telnet installed by default, and in that case, it’s disabled. In all other supported OS versions, Telnet is an optional component that must be installed. However, if you are using Telnet in this day and age, and you have to seriously wonder why anyone one would, this is definitely the biggest risk.
After the Telnet issue, MS15-004 is detected to be under limited, targeted exploitation in the wild, however the vulnerability is not listed as publicly disclosed, either way, it grants Elevation of Privilege on Windows Vista and later operating systems, including Server core, and should definitely be patched urgently.
The next two causes of concern are MS15-001 and MS15-003, the two issues which were not disclosed to the public in a fashion that Microsoft found agreeable to their practices. Since these are both out there, even if exploitation is not yet known, it is more likely that an attack will come.
Author: Ross Barrett, Senior Manager, Security Engineering, Rapid7.