PatchTue_SQIt’s a brand new year, and it got off to a less-than-auspicious beginning in the Microsoft patching arena with the announcement that advance notifications will no longer be available to the general public.  As I sat at my desk on Patch Tuesday, not knowing how many updates to expect, I began to wonder if the company had decided to stop publishing the security bulletins themselves, too.  Noon my time (10:00 a.m. in Redmond, the usual time of release) came and went and my anxiety increased, but they finally appeared – about 40 minutes late.

It turns out we’re looking at eight security updates this month, not a particularly light load but far short of some of the mammoth slates of patches we’ve seen before.  One thing about this group of patches that’s unusual is that every one of them affects Microsoft Windows; usually there will be the odd patch or two for Office or one of the server products.

The good news is that only one of the eight updates addresses a vulnerability that’s rated critical. The rest are all rated as important.

For more information about the updates and step-by-step instructions regarding any workarounds, please see the individual security bulletins, which are linked in this month’s Security Bulletin Summary.

Critical

MS15-002 (KB3020393) The sole critical bulletin this month addresses one vulnerability in the Windows Telnet service that was reported privately. It affects Windows Vista, 7, 8, 8.1, Server 2003, 2008, 2008 R2, 2012 and 2012 R2, including the server core installations. It does not affect Windows RT and RT 8.1.

This is a remote code execution vulnerability that can be exploited by sending specially-crafted packets via Telnet. Telnet is not installed by default on Windows operating systems beginning with Windows Vista, and it is installed on Windows 2003 but is not enabled. This lowers the risk since you would have to install and/or enable the service to be vulnerable to this attack.

The update fixes the problem by changing the way Telnet validates user input.

Important

MS15-001 (KB3023266) This very first security bulletin of 2015 addresses one vulnerability in the Windows Application Compatibility Cache that had been publicly disclosed. It affects Windows 7, 8, 8.1 and RT/RT 8.1, as well as Server 2008 R2, 2012 and 2012 R2, including the server core installations. It does not affect the older supported operating systems (Vista and Server 2003 and 2008).

This is an elevation of privilege vulnerability by which an attacker could obtain administrative privileges by logging onto a system and running a specially crafted malicious application. The attacker could then execute arbitrary code with those elevated privileges.

The update fixes the problem by changing the way the Windows Application Compatibility Infrastructure processes impersonation token usage and ensuring that the authorization is properly checked.

MS15-003 (KB3021674) This update addresses another publicly disclosed vulnerability, this one in the Windows User Profile Service. It affects all supported versions of Windows: Vista, 7, 8, 8.1, RT/RT 8.1, Server 2003, 2008, 2008 R2, 2012, and 2012 R2, including the server core installations.

This is another elevation of privilege vulnerability that, like the previously described vulnerability, can be exploited by an attacker who logs on and runs a specially crafted application.  The attacker could load registry hives associated with other user accounts and thus run programs with the privileges of those other accounts. The good news is that the attacker would have to be able to log on locally with valid credentials; it can’t be exploited remotely so that reduces the risk considerably.

The update fixes the problem by changing the way the User Profile Service validates user privileges.

MS15-004 (KB3025421) This update addresses one vulnerability in the TS WebProxy component of Windows that was privately reported. It affects Vista, Windows 7, 8, 8.1, RT and RT 8.1 as well as Server 2008 R2, 2012 and 2012 R2, including the server core installations. It does not affect Server 2003 and 2008.

This is yet another elevation of privilege vulnerability by which an attacker could gain the administrative privileges of another user if he can convince the other user to run a specially crafted application. The attacker would have to trick another user into downloading and installing the malicious application. The vulnerability could be used in conjunction with a remote code execution vulnerability.

The update fixes the problem by changing the way Windows sanitizes file paths. For those who can’t install the update, there is a workaround available that involves removing TSWbPrxy from the IE elevation policy by editing the registry.

MS15-005 (KB3022777) This update addresses one privately reported vulnerability in the Network Location Awareness Service. It affects Vista, Windows 7, 8, 8.1 and Server 2003, 2008, 2008 R2, 2012 and 2012 R2, including the server core installations. It does not affect Windows RT and RT 8.1.

This vulnerability can lead to bypass of a security feature due to the unintentional relaxing of firewall policy and/or configuration of certain services if an attacker who is on the same local network as the victim spoofs responses to DNS and LDAP packets that were sent by the victim. The biggest risk is to client computers that are connected to untrusted networks.

The update fixes the problem by forcing mutual authentication using Kerberos.

MS15-006 (KB3004365) This update addresses a privately reported vulnerability in the Windows Error Reporting feature. It affects Windows 8, 8.1, RT and RT 8.1 and Server 2012 and 2012 R2, including the server core installation. It does not affect the older operating systems.

This is another security bypass vulnerability that could allow an attacker to obtain access to the memory of a process that is running on the computer when those processes are protected by Protected Process Light, which is designed to help mitigate attacks where a malicious user already has admin access and is trying to gain additional credentials.  The good news is that in order to exploit this vulnerability, an attacker would have to have valid logon credentials and be able to log on locally.

The update fixes the problem by changing the way the Windows Error Reporting component interacts with processes.

MS15-007 (KB3014029) This update addresses one privately reported vulnerability in the Network Policy Server RADIUS implementation. It affects all currently supported Windows Server operating systems: Server 2003, 2008, 2008 R2, 2012 and 2012 R2. It does not affect the Windows client operating systems (Vista, Windows 7, 8, 8.1, RT 8 and 8.1).

This is a denial of service vulnerability that an attacker could exploit to create a denial of service (DoS) condition on an Internet Authentication Service (IAS) or Network Policy Server (NPS) by sending specially crafted username strings to the IAS or NPS server. This could prevent RADIUS authentication from being performed by the IAS or NPS server. It would not allow the attacker to execute code.

The update fixes the problem by changing the way the NPS servers parse username queries when implementing RADIUS.

MS15-008 (KB3019215) This update addresses one privately reported vulnerability in the Windows kernel-mode driver. It affects all currently supported version of Windows client and server operating systems: Vista, Windows 7, 8, 8.1, RT 8 and 8.1, Server 2003, 2008, 2008 R2, 2012 and 2012 R2. However, server operating systems are affected only if they are running the Desktop Experience feature. The server core installations are not affected.

This is an elevation of privilege vulnerability that exists in the WebDAV kernel-mode driver, which does not properly validate and enforce impersonation levels. This can be exploited by an attacker to bypass impersonation-level security and thus obtain elevated privileges. The attacker could then intercept WebDAV requests for files from any server and redirect the file requests to return malicious files instead. The attacker would, however, have to log onto the system and run a specially crafted application in order to be able to exploit this vulnerability.  The attacker can’t exploit the vulnerability without valid logon credentials and the ability to log on locally.

The update fixes the problem by changing the way the kernel-mode driver validates impersonation levels. For those who can’t install the update, there is a workaround available that involves disabling the WebDAV driver via the registry editor. Note that this will prevent access to some WebDAV shares (for example, SharePoint sites).