With our first collection of security updates and patches for the new year, Microsoft has delivered a relatively light set of eight patches that affect Microsoft Windows systems, with one rated as critical and the remaining seven rated as important. That means, for January, we will not see the usual set of Internet Explorer or Office updates -- only core windows desktop and server components are updated with this release. In addition to this set of Microsoft bulletins, Adobe has published an update to its Flash Player. We also saw a re-release of the critical update to Internet Explorer (IE) MS14-080. This update re-release is a full version upgrade and will require a full installation as opposed to the more common minor documentation changes.
MS15-001 -- Important
The first update from Microsoft for the year is MS15-001 which patches a publicly disclosed vulnerability in the application compatibility cache built in the Windows platform, that could lead to elevation of privilege security issues. This update affects Window 7, all versions of Windows 8 and Server 2012 (including R2 and Server Core). Include this update in your standard patch deployment schedule.
MS15-002 -- Critical
The second update for the new year is MS15-002, the first patch rated as critical by Microsoft, deals with a single privately reported vulnerability in the Windows Telnet service that could lead to a remote code execution scenario. You may not have ever used the Telnet service, as it is a legacy communication tool that goes back to computing in the 1970's. Though this update is rated as critical, if you are using a system later than Windows Vista, then Telnet is not installed by default, and for modern server systems, it is installed but not enabled. This is low-impact patch that you should be able to deploy pretty quickly.
MS15-003 -- Important
The third update MS15-003, rated as important by Microsoft, deals with a single publicly reported vulnerability in the Windows User Profile Service which could lead to an elevation of privilege scenario where an attacker could insert unauthorized registry settings resulting in the execution of code with elevated permissions on the compromised system. This is another core Windows system update and affects all modern Microsoft desktop and server platforms. This is another relatively low-impact system update, which should be included in your normal patching schedule.
MS15-004 -- Important
The fourth update, MS15-004, is rated as important and deals with a single privately reported vulnerability in how Windows handles path and directory traversals. Though this is a core Windows system update, the actual attack vector is through IE, which could lead to an elevation of privilege security situation. If you prefer to delay the roll-out of this security update, Microsoft has published a work-around that involves deleting a single registry key in the targeted systems. That said, given the relatively low-impact this patch should have on your system, I would include this update in your standard update deployment schedule.
MS15-005 -- Important
The update MS15-005 is another core Windows system update where a privately reported vulnerability in the Windows Network Location Awareness service could potentially allow an attacker to bypass security features, such as setting a more relaxed firewall policy. This update affects all current, supported versions of Windows and Microsoft has not currently published any mitigating factors or workarounds.
MS15-006 -- Important
The Microsoft update MS15-006 brings us another core Windows system component update that addresses a privately reported vulnerability in the Windows Error Reporting (WER) sub-system. This update addresses this vulnerability by changing how WER interacts with other system level processes. This Microsoft patch affects Windows 8.x systems (including RT) and Windows Server 2012 (including Server Core). Given its relatively low impact, this patch should be included in your standard patching schedule.
MS15-007 -- Important
The next update from Microsoft, MS15-007, is rated as important and relates to a Denial of Service (DOS) vulnerability in the RADIUS Network Policy Server. This is a server platform only update that affects Windows Server 2003, 2008 and 2012 R2. The Microsoft RADIUS technology is used to perform authentication, authorization and accounting for remote connections using RADIUS clients. Include this update in your standard patch release cycle.
MS15-008 -- Important
The final update for this January Patch Tuesday, MS15-008, is rated as important by Microsoft and deals with a single privately reported vulnerability in the Windows Kernel-Mode driver system. To exploit this potential elevation of privilege scenario an attacker must have valid login credentials and login locally to the compromised system. This update affects all currently supported Microsoft desktop and server platforms. Given the much reduced attack surface for this vulnerability (you have to be already physically logged on to a machine) and that Microsoft has had numerous issues with kernel mode driver updates in the past (MS14-045), I would suggest some pretty thorough testing on your server platforms. This is contrary to Microsoft's view of the world, but I would suggest that you wait a week prior to deployment.
Adobe APSB15-01 -- Priority 1
The Adobe update APSB15-01 resolves nine vulnerabilities, plugging a variety of issues including memory corruption, heap-based buffer overflow, type confusion, out-of-bounds read and improper file validation issues that could lead to remote code execution scenarios. It is a Priority 1 update and Adobe has recommend that the update should be deployed as soon as possible. This is your "Patch Now" update for January.
This article is published as part of the IDG Contributor Network. Want to Join?