Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Patches Critical Windows Security Vulnerability

In its first Patch Tuesday of the year, Microsoft released one critical security bulletin and seven others rated ‘important.’

In its first Patch Tuesday of the year, Microsoft released one critical security bulletin and seven others rated ‘important.’

The critical bulletin addressees a vulnerability in Microsoft Windows’ Telnet Service that enables an attacker to remotely execute code via specially-crafted packets sent to an affected Windows server. Only users who enable Telnet are vulnerable to the issue. Telnet is not installed by default on systems running Windows Vista and later, and is installed by not enabled on Windows Server 2003.

“January is shaping up to be a pretty big month for patching,” noted Chris Goettl, product manager with Shavlik Technologies. “All of the updates are focused on Windows, but there are several elevation of privilege vulnerabilities and many services that are affected by these updates.”

In fact, four of the eight bulletins have to deal with privilege escalation issues. One of these, MS15-004 is reported by Microsoft to be under limited, targeted attacks in the wild. According to Microsoft, the vulnerability exists in the TS WebProxy Windows component and is caused when Windows fails to properly sanitize file paths. Currently, the vulnerability is being used in attacks as a sandbox bypass.

“To successfully exploit this vulnerability, an attacker would have to take advantage of an existing vulnerability in Internet Explorer by tricking a user into downloading a specially crafted application,” Microsoft notes in the advisory. “In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability.”

The privilege escalation issues fixed in the updates include the bug uncovered by Google in Windows 8.1. The remaining bulletins address a vulnerability that could allow denial of service on an Internet Authentication Service (IAS) or Network Policy Server (NPS) and two others that could allow an attacker to bypass a security feature in Windows.

“The interesting thing about…the Error Reporting vulnerability (MS15-006) is that it’s another example where a feature that is intended to help a user is being misused to circumvent security settings and possibly read information from running processes that should otherwise be private,” said Jon Rudolph, principal software engineer at Core Security. “It’s a step in the right direction that Microsoft is hardening Windows against tricky network packets and malicious error messages and as we always note, these updates will protect users…but only if the users keep their systems updated.”

Last week, Microsoft announced that it would no longer be publicly publishing information about Patch Tuesday updates the Thursday before Patch Tuesday in a controversial move.

In addition to the Microsoft vulnerabilities, Adobe Software pushed out a number of patches for Adobe Flash Player. The vulnerabilities are classified as ‘critical’ however Adobe said that none of them are known to be currently under attack.

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.