Microsoft released nine patches last night, with one rated as critical.
After the company announced that is to not give advance notifications to anyone but premium customers, the announcement came as a surprise to many. Ross Barrett, senior manager of security engineering at Rapid7, said this “marks the start of a new era”.
He said: “It seems that Microsoft’s trend towards openness in security has reversed and the company that was formerly doing so much right, is taking a less open stance with patch information. It is extremely hard to see how this benefits anyone, other than, maybe who is responsible for support revenue targets for Microsoft.
“What this means is that the world at large is getting their first look at understandable information about this round of patches 30 minutes after the automatic updates to fix those patches were triggered by Microsoft. Assuming you have automatic updates set to almost constant checking, and the affected platforms are supported by automatic patching, you might already be patched.”
The one patch that was rated as critical, MS15-002 affects Telnet. Barrett said: “This risk is mitigated by the fact that only Windows Server 2003 has Telnet installed by default, and in that case, it’s disabled. In all other supported OS versions, Telnet is an optional component that must be installed. However, if you are using Telnet in this day and age, and you have to seriously wonder why anyone one would, this is definitely the biggest risk.”
Tyler Reguly, security researcher at Tripwire, said: “With 8 bulletins and only 8 CVEs, this is a small month for Microsoft in terms of vulnerabilities fixed. While there are a lot of updates, they all apply to the core Windows OS without the need to worry about the difficult patching often associated with Microsoft’s other products. The lack of IE and .NET bulletins aids the small patch drop this month.
“While there are plenty of patches for Server 2003 this month, which is considered EOL in 6 months, it’s more interesting to note that MS15-001 and MS15-006 only affect modern Windows operating systems.”
Wolfgang Kandek, CTO of Qualys, said that one of the other bulletins, MS15-003, also addresses a publicly known vulnerability, a problem in the Windows User Profile Service, which allows for a local escalation of privilege.
Russ Ernst, director of product management at Lumension, said that of the eight bulletins, MS14-004 should be your first priority. “It’s ranked important, but attacks against the impacted Windows components are currently under-way, with the result being an elevation of privilege when a user is convinced to run a specially crafted application and provide the attacker with their user right
s,” he said.
Craig Young, security researcher at Tripwire, pointed out the most notable aspect of the January patch release – the lack of Internet Explorer updates. “Anyone who follows Microsoft updates will know that IE typically receives a monthly update to resolve multiple vulnerabilities, often times including vulnerabilities which had been observed being exploited in the wild,” he said.
“This week we are also seeing Microsoft respond to two vulnerabilities, MS15-001 and MS15-003, in Windows which had been publicly disclosed by Google on a tight 90-day deadline outside of a coordinated disclosure process.
“In the case of MS15-003, Google released the vulnerability details just two days before the official patch release. While neither of these issues are rated as critical, the outing of these vulnerability details has stirred up a lot of debate within the security community regarding the time and place for full disclosure of vulnerability information.”
