Microsoft patch Tuesday focuses solely on Windows

For the first time in recent history, Microsoft has issued no security bug fixes for Internet Explorer

he January 2015 edition of Microsoft Patch Tuesday might be more notable for what the monthly release of security bulletins does not contain -- there are no fixes for the Microsoft Explorer browser this month.

To date, almost every Patch Tuesday has come with a fix for Explorer, which has long been a target for abuse by malicious attackers.

The lack of fixes for IE was "pretty surprising to us," said Wolfgang Kandek, chief technology officer of security vendor Qualys, noting the browser was patched every month in 2014. "The one common feature in every Patch Tuesday was that Internet Explorer would get patched."

All the vulnerabilities the company issued patches for Tuesday -- including one marked critical -- are instead found in either the desktop or server editions of its Windows operating system.

All in all, it's a pretty low-key month for Patch Tuesday, compared to the dozens of bulletins that the company has sometimes released in months past.

Affected editions include the desktop-oriented Vista, Windows 7, Windows 8 and 8.1, and Windows RT, as well as Windows Server 2003, 2008 and 2012.

The vulnerability marked as having a critical severity rating, MS15-004, is found in the Telnet protocol, used to provide terminal connections to remote computers. Microsoft typically marks vulnerabilities as critical when they are already being misused by malicious parties to break into systems.

Telnet can be installed on all Windows systems, and is frequently used on the server editions, though the company hasn't enabled it by default for the desktop since Windows Vista.

Administrators should also immediately tend to MS15-004, which describes a vulnerability in Windows 8.1 first brought to notice by Google's Project Zero team on December 29. Google posted details of the vulnerability after waiting for Microsoft to respond, to no avail, for 90 days. Once a vulnerability is public knowledge, it can be abused by attackers.

Kandek attributed the early exposure to a possible breakdown in communications between Google and Microsoft, which normally responds diligently to reports of vulnerabilities. Microsoft criticized Google for publicizing the flaw too early. "It sounds to me that it was unnecessary for this to happen," Kandek said.

The good news is that this vulnerability is not a critical one. An "escalation of privilege" bug, it provides a way for someone with user rights to trick the computer into performing actions that are normally reserved for full administrative use. But the person would first need access to the machine in order to exploit this flaw, Kandek said.

Another vulnerability that administrators should examine is MS15-007, which is a flaw in the Network Policy Server component on the server editions of Windows. "An unauthenticated user could send a special type of request to Windows authentication server and cause a denial of service, so other users could not log in," said Amol Sarwate, director of vulnerability research at Qualys.

For the first time, Microsoft has declined to send out advance notices about upcoming patches. Historically, the company sent out an advance notice on the Thursday prior to Patch Tuesday, which Microsoft schedules on the second Tuesday each month.

Kandek said Microsoft's change in practice was met with a largely negative reaction from all security professionals and researchers he spoke with. Although the monthly advance notice didn't offer details about specific vulnerabilities, it did give administrators an idea about which software would require patches, allowing them to allocate their time in the following week accordingly.

"The security community wants more transparency and more information to be shared, and this seems like a move in the wrong direction," Kandek said.

While it might be a light month for Microsoft patches, administrators and security professionals still have some work to do this week. Also on Tuesday, Adobe issued a fix for a critical vulnerability in Flash, for both the Mac OS and Windows editions.

Join the CSO newsletter!

Error: Please check your email address.

Tags patchessecurityMicrosoft Patch TuesdayExploits / vulnerabilities

More about GoogleMicrosoftQualysTelnet

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joab Jackson

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place