For the first Patch Tuesday in 2015 Microsoft has posted eight bulletins, one critical and seven important, a quite normal start in terms of numbers, but limited in terms of software. For example, there is no update for Internet Explorer.
One of the most important bulletins MS15-001 addresses the current 0-day vulnerability in Windows 8.1. That vulnerability addressed was published by Google’s Project Zero team on December 29th, because Google’s automatic disclosure policy kicked in. Google gives a company 90 days to address the vulnerability with a patch, if none is available the information is made public automatically:
which is taken directly from the bug database: https://code.google.com/p/google-security-research/issues/detail?id=118. Microsoft is not happy with the disclosure since they requested a hold until this Patch Tuesday from Google according to their blog post. We will see how this plays out, it sounds as if there are some communication issues that could be improved.
One of the other bulletins also addresses a publicly known vulnerability – MS15-003 a problem in the Windows User Profile Service, which allows for a local escalation of privilege.
In terms of priority we recommend starting with MS15-002, a critical vulnerability in the Microsoft Telnet Service. If you run the Microsoft Telnet server this is your top vulnerability this month, especially if exposed to the Internet. At Qualys we do not see many people using Telnet in general, so this vulnerability should be fairly sparse – tune in over the coming months and we will have some statistics on this prevalence of this bulletin.
Our next recommendation is to take care of the Adobe Flash update APSB15-01 addresses nine vulnerabilities, which are critical and can be used to take control over the targeted machine. Users of Internet Explorer 10 and 11 are updated automatically (take a look at advisory 2755801 at https://technet.microsoft.com/en-us/library/security/2755801 for more information) as are users of Google Chrome, everybody else needs to download APSB15-01 seperately. This also includes users on Mac OS x and Linux.
We are split about the next priority: IAS/NPS server users should look at MS15-007, which fixes a Denial of Service problem in Microsoft server family, everybody should look at the known vulnerabilities MS15-001 and MS15-003.
Overall a slow to normal start for the security year 2015. Stay tuned to the blog for more information and don’t forget that we are looking at a software update from Oracle this month as well. We are expecting fixes for the majority of Oracle software, including Java, the RDBMS line and MySQL. We let you know as soon as we get more information.