It’s Patch Tuesday and Microsoft has released a total of eight security updates to patch vulnerabilities and exploits in its Windows operating systems.
Of the eight, one is rated ‘Critical’ while the others are all of ‘Important’ severity levels. The list below details the type of exploit and a small description of them.
- Bulletin #1 (Important) – Following Google publicizing a flaw in Windows before Patch Tuesday arrived, this bulletin patches the exploit that allows an elevation of privilege if an attackers logs in and runs a specifically crafted application. Attackers could then run arbitrary code with elevated privileges.
- Bulletin #2 (Critical) – This patches a vulnerability that allows for remote code execution if an attacker sends specially crafted packets to a Windows server via the Windows Telnet Service.
- Bulletin #3 (Important) – A patch for another elevation of privilege exploit in the Windows User Profile Service.
- Bulletin #4 (Important) – An elevation of privilege exploit security patch in Windows Components. Should an attacker convince a user to run a specifically crafted application it would give the attacker the same level of system privilege as the current user.
- Bulletin #5 (Important) – A security feature bypass patch in the Windows Network Location Awareness service.
- Bulletin #6 (Important) – Another patch to address a security feature bypass exploit in Windows Error Reporting. Attackers could use this exploit to gain access to the memory of running processes.
- Bulletin #7 (Important) – A denial of service prevention patch in Network Policy Server (RADIUS) implementation in Windows. Attackers could use a denial of service attacker by sending specially crafted username strings to an Internet Authentication Service (IAS) or Network Policy Server (NPS).
- Bulletin #8 (Important) – Another elevation of privilege patch, this time in the Windows Kernel-Mode Driver.
Systems affected by the aforementioned exploits include Windows Server 2003/2008/2008 R2/2012/ 2012 R2, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows RT and Windows RT 8.1. As for those running the Windows 10 Technical Preview, none of the bulletins apply.
There are patches for other Windows applications such as the .NET framework, Internet Explorer and Adobe Flash Player for IE included too. As always, it is highly recommended to keep your system secure by installing the latest updates.
"One of the most important bulletins MS15-001 addresses the current 0-day vulnerability in Windows 8.1. That vulnerability addressed was published by Google’s Project Zero team on December 29th, because Google’s automatic disclosure policy kicked in. Google gives a company 90 days to address the vulnerability with a patch, if none is available the information is made public automatically, which is taken directly from the bug database," says Wolfgang Kandek, CTO at Qualys, Inc. "Microsoft is not happy with the disclosure since they requested a hold until this Patch Tuesday from Google according to their blog post. We will see how this plays out, it sounds as if there are some communication issues that could be improved."
Fire up Windows Update and get these security fixes installed!