Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches Critical Windows Security Vulnerability

In its first Patch Tuesday of the year, Microsoft released one critical security bulletin and seven others rated ‘important.’

In its first Patch Tuesday of the year, Microsoft released one critical security bulletin and seven others rated ‘important.’

The critical bulletin addressees a vulnerability in Microsoft Windows’ Telnet Service that enables an attacker to remotely execute code via specially-crafted packets sent to an affected Windows server. Only users who enable Telnet are vulnerable to the issue. Telnet is not installed by default on systems running Windows Vista and later, and is installed by not enabled on Windows Server 2003.

“January is shaping up to be a pretty big month for patching,” noted Chris Goettl, product manager with Shavlik Technologies. “All of the updates are focused on Windows, but there are several elevation of privilege vulnerabilities and many services that are affected by these updates.”

In fact, four of the eight bulletins have to deal with privilege escalation issues. One of these, MS15-004 is reported by Microsoft to be under limited, targeted attacks in the wild. According to Microsoft, the vulnerability exists in the TS WebProxy Windows component and is caused when Windows fails to properly sanitize file paths. Currently, the vulnerability is being used in attacks as a sandbox bypass.

“To successfully exploit this vulnerability, an attacker would have to take advantage of an existing vulnerability in Internet Explorer by tricking a user into downloading a specially crafted application,” Microsoft notes in the advisory. “In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability.”

The privilege escalation issues fixed in the updates include the bug uncovered by Google in Windows 8.1. The remaining bulletins address a vulnerability that could allow denial of service on an Internet Authentication Service (IAS) or Network Policy Server (NPS) and two others that could allow an attacker to bypass a security feature in Windows.

“The interesting thing about…the Error Reporting vulnerability (MS15-006) is that it’s another example where a feature that is intended to help a user is being misused to circumvent security settings and possibly read information from running processes that should otherwise be private,” said Jon Rudolph, principal software engineer at Core Security. “It’s a step in the right direction that Microsoft is hardening Windows against tricky network packets and malicious error messages and as we always note, these updates will protect users…but only if the users keep their systems updated.”

Last week, Microsoft announced that it would no longer be publicly publishing information about Patch Tuesday updates the Thursday before Patch Tuesday in a controversial move.

Advertisement. Scroll to continue reading.

In addition to the Microsoft vulnerabilities, Adobe Software pushed out a number of patches for Adobe Flash Player. The vulnerabilities are classified as ‘critical’ however Adobe said that none of them are known to be currently under attack.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.