Microsoft today released its January 2015 Patch Tuesday updates, delivering a fairly light load of eight bulletins...
that address eight unique vulnerabilities. Along with one critical Telnet Windows fix, the software giant also fixed the zero-day vulnerability controversially disclosed by Google late last month.
Craig Young, a computer security researcher with Tripwire Inc.'s Vulnerability and Exposures Research Team, based in Portland, Ore., said that it "should be a pretty smooth ride" for administrators this month as the updates affect only Windows components, sparing SharePoint, Exchange or other Microsoft systems that often bring added complexity. Also of note, there are no Internet Explorer patches included in this month's release, another departure from recent releases.
Of the eight bulletins, the only one rated "critical" (MS15-002) involved Windows Telnet Service. The flaw could potentially allow remote-code execution if an attacker sends specially crafted packets to a vulnerable Windows server.
Wolfgang Kandek, CTO of vulnerability management vendor Qualys Inc., based in Redwood Shores, Calif., said he "doesn't think it's a terribly serious problem at this point of time," as he does not see many people using Telnet these days.
Young's recommendation regarding this vulnerability is to get rid of the protocol's use altogether.
"There's no reason to be running Telnet in 2015," he said. However, if an enterprise uses systems that require Telnet, this update should be implemented immediately.
Microsoft fixes Windows 8.1 vulnerability disclosed by Google
Bulletin MS15-001 addresses the Windows 8.1 vulnerability whose details were published Dec. 29 by Google's Project Zero vulnerability research team; that disclosure has become a topic of debate within the security industry.
While its announcement followed Project Zero's standard disclosure policy of revealing a flaw publicly if the vendor hasn't released a fix within 90 days, Google has come under fire from both Microsoft and the community for failing to give Microsoft ample opportunity to address the issue.
According to a blog post written by Microsoft Security Response Center Senior Director Chris Betz, Microsoft had the fix for the vulnerability scheduled for today's Patch Tuesday release and asked Google not to publish the details until the fix was made public.
Kandek said Betz's statement is likely true given that the bulletin is number MS15-001; this suggests the bulletin had been scheduled to go out well in advance and was not a last-minute decision.
Kandek said he is among those who question the ethics of Google's actions.
"The interesting thing is whether it was necessary to publish the vulnerability or whether it would have been more productive to actually talk to Microsoft about it and give it the chance to come out with an update before going public with it," Kandek said.
Betz wrote that Google's actions seem "less like principles and more like a 'gotcha,' with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal."
"Google is trying to push the envelope," Young said, highlighting the search giant's ability to release software updates quickly and frequently. "It's trying to put pressure on other vendors to say it's not acceptable to make people wait for so long for fixes for these vulnerabilities."
However, as Young noted, he can see it from both sides.
"If Google engineers are finding them, that means other people are probably finding them -- or have found them -- and they might already be used in targeted attacks."
Young also said that it is interesting that Microsoft rated the vulnerability at an exploitation level of 2 -- "less likely" -- even though Google has proof-of-concept code for it. This, Young said, means that the code was very much theoretical or non-organic; it's a demonstration that it could happen, but is far from becoming a weaponized exploit.
People have "overblown the risks" these vulnerabilities pose to consumers, Young said.
Of the other five bulletins rated "important" this month, two are related to escalation of privilege, two fix security feature bypass issues, and one could potentially cause a denial-of-service situation.
Microsoft pulls ANS release
In an unprecedented move prior to this month's patch release, Microsoft announced its decision to limit its Advanced Notification Service (ANS) to only Premium members, or paying customers.
In a blog post published Jan. 8, the MSRC's Betz attributed this change to the changing needs of customers.
"Customer feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimized testing and deployment methodologies," Betz wrote.
The ANS, which lists the products that would be affected in the following week's Patch Tuesday, was typically posted to the company's website the Thursday prior. It was started more than a decade ago as part of the company's patching program.
Customers who have not paid for Premium support can receive ANS updates through myBulletins, an online tool that allows customers to create personalized security bulletins based on the specific applications they run.
The change has been met by criticism across the information security community. Young called this a "touchy subject." Kandek said that many of his peers, practitioners and customers found the preview extremely helpful.
"It's not a good idea to take it away," Kandek said.
Adobe releases critical Flash updates
Separately, Adobe Systems Inc. today released bulletin APSB15-01, providing security updates for nine critical vulnerabilities in its Flash Player that could potentially allow an attacker to take control of a target system. The company said it is not aware of any of these vulnerabilities being exploited in the wild.
These updates apply to Windows, Macintosh and Linux systems. Adobe urges users to upgrade to the latest version of its Flash software: 184.108.40.2067 for Windows and Macintosh users, 220.127.116.110 for users of the Adobe Flash Player Extended Release, and version 18.104.22.1689 for Linux users.
Amol Sarwate, the director of engineering at Qualys, noted that this update should be second on administrators' to-do lists this month as it "has a much larger attack surface than any of the Microsoft bulletins" and affects all operating systems.
A number of versions of Adobe AIR are also vulnerable. The company recommends Adobe AIR desktop runtime users to upgrade to version 16.0.0.045, SDK and Compiler users to update to version 22.214.171.1242 and AIR for Android users to update to 126.96.36.1992.
Catch up on the December 2014 Patch Tuesday news here.