In its first Patch Tuesday of the year, Microsoft released one critical security bulletin and seven others rated ‘important.’
The critical bulletin addressees a vulnerability in Microsoft Windows’ Telnet Service that enables an attacker to remotely execute code via specially-crafted packets sent to an affected Windows server. Only users who enable Telnet are vulnerable to the issue. Telnet is not installed by default on systems running Windows Vista and later, and is installed by not enabled on Windows Server 2003.
“January is shaping up to be a pretty big month for patching,” noted Chris Goettl, product manager with Shavlik Technologies. “All of the updates are focused on Windows, but there are several elevation of privilege vulnerabilities and many services that are affected by these updates.”
In fact, four of the eight bulletins have to deal with privilege escalation issues. One of these, MS15-004 is reported by Microsoft to be under limited, targeted attacks in the wild. According to Microsoft, the vulnerability exists in the TS WebProxy Windows component and is caused when Windows fails to properly sanitize file paths. Currently, the vulnerability is being used in attacks as a sandbox bypass.
“To successfully exploit this vulnerability, an attacker would have to take advantage of an existing vulnerability in Internet Explorer by tricking a user into downloading a specially crafted application,” Microsoft notes in the advisory. “In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability.”
The privilege escalation issues fixed in the updates include the bug uncovered by Google in Windows 8.1. The remaining bulletins address a vulnerability that could allow denial of service on an Internet Authentication Service (IAS) or Network Policy Server (NPS) and two others that could allow an attacker to bypass a security feature in Windows.
“The interesting thing about…the Error Reporting vulnerability (MS15-006) is that it’s another example where a feature that is intended to help a user is being misused to circumvent security settings and possibly read information from running processes that should otherwise be private,” said Jon Rudolph, principal software engineer at Core Security. “It’s a step in the right direction that Microsoft is hardening Windows against tricky network packets and malicious error messages and as we always note, these updates will protect users…but only if the users keep their systems updated.”
Last week, Microsoft announced that it would no longer be publicly publishing information about Patch Tuesday updates the Thursday before Patch Tuesday in a controversial move.
In addition to the Microsoft vulnerabilities, Adobe Software pushed out a number of patches for Adobe Flash Player. The vulnerabilities are classified as ‘critical’ however Adobe said that none of them are known to be currently under attack.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- China Says It’s Looking Into Report of Spy Balloon Over US
- GoAnywhere MFT Users Warned of Zero-Day Exploit
