In its first Patch Tuesday of the year, Microsoft released one critical security bulletin and seven others rated ‘important.’
The critical bulletin addressees a vulnerability in Microsoft Windows’ Telnet Service that enables an attacker to remotely execute code via specially-crafted packets sent to an affected Windows server. Only users who enable Telnet are vulnerable to the issue. Telnet is not installed by default on systems running Windows Vista and later, and is installed by not enabled on Windows Server 2003.
“January is shaping up to be a pretty big month for patching,” noted Chris Goettl, product manager with Shavlik Technologies. “All of the updates are focused on Windows, but there are several elevation of privilege vulnerabilities and many services that are affected by these updates.”
In fact, four of the eight bulletins have to deal with privilege escalation issues. One of these, MS15-004 is reported by Microsoft to be under limited, targeted attacks in the wild. According to Microsoft, the vulnerability exists in the TS WebProxy Windows component and is caused when Windows fails to properly sanitize file paths. Currently, the vulnerability is being used in attacks as a sandbox bypass.
“To successfully exploit this vulnerability, an attacker would have to take advantage of an existing vulnerability in Internet Explorer by tricking a user into downloading a specially crafted application,” Microsoft notes in the advisory. “In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability.”
The privilege escalation issues fixed in the updates include the bug uncovered by Google in Windows 8.1. The remaining bulletins address a vulnerability that could allow denial of service on an Internet Authentication Service (IAS) or Network Policy Server (NPS) and two others that could allow an attacker to bypass a security feature in Windows.
“The interesting thing about…the Error Reporting vulnerability (MS15-006) is that it’s another example where a feature that is intended to help a user is being misused to circumvent security settings and possibly read information from running processes that should otherwise be private,” said Jon Rudolph, principal software engineer at Core Security. “It’s a step in the right direction that Microsoft is hardening Windows against tricky network packets and malicious error messages and as we always note, these updates will protect users…but only if the users keep their systems updated.”
Last week, Microsoft announced that it would no longer be publicly publishing information about Patch Tuesday updates the Thursday before Patch Tuesday in a controversial move.
In addition to the Microsoft vulnerabilities, Adobe Software pushed out a number of patches for Adobe Flash Player. The vulnerabilities are classified as ‘critical’ however Adobe said that none of them are known to be currently under attack.