This month's Microsoft Patch Tuesday release addresses eight bugs, including one “critical” vulnerability within Windows Telnet Service.
The rest remaining vulnerabilities were rated “important,” according to the company's security bulletin summary for the month.
This month's Patch Tuesday is the first to not have a preview released on the preceding Friday. The company announced this past week that it will no longer release a public blog post to preview its Patch Tuesday releases, to the dismay of many industry professionals.
Ross Barrett, senior manager of security engineering at Rapid7, explained the move and its implications on the monthly Tuesday release.
“What this means is that the world at large is getting their first look at understandable information about this round of patches 30 minutes after the automatic updates to fix those patches were triggered by Microsoft,” he said in prepared comments to SCMagazine.com. “Assuming you have automatic updates set to almost constant checking, and the affected platforms are supported by automatic patching, you might already be patched.”
The bulletins address multiple bugs that had already been disclosed online, including a controversial elevation of privilege flaw in Windows 8.1.
Google's “Project Zero” team detailed the flaw online in late December, 90 days after disclosing it to Microsoft. An attacker must already possess logon credentials to exploit the vulnerability, however. Bulletin MS15-001 addresses the flaw by correcting how impersonation levels are validated and enforced, the bulletin said.
Multiple industry experts found MS15-004 to be a critical bulletin that deserves priority in patching, even though Microsoft only deemed it “important.” The flaw could allow for elevation of privilege if an attacker convinces a user to run a specific malicious application. If exploited, the attacker could gain the same user rights as the current user. Windows Vista, Windows 7, Windows Server 2008 R2, Windows 8 and 8.1, Windows Server 2012 and 2012 R2, Windows RT and RT 8.1, and the Server Core installation option are affected.
“MS15-004 is detected to be under limited, targeted exploitation in the wild, however the vulnerability is not listed as publicly disclosed, either way, it grants Elevation of Privilege on Windows Vista and later operating systems, including Server Core, and should definitely be patched urgently,” wrote Barrett.
No bulletins in this release apply to Internet Explorer, which could be the reason behind the small batch.