VERT Alert: January 2015 Patch Tuesday Analysis

Image

Today’s VERT Alert addresses 8 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-597 on Wednesday, January 14th.  

MS15-001

The first update this month resolves a vulnerability that was publicly disclosed by Google prior to the patch release. The vulnerability occurs due to a flaw in the verification of the impersonation token, allowing a non-privileged user to run privileged code.  

MS15-002

The second update this month is a service seldom discussed these days, Telnet. This is the worst kind of vulnerability, a remote code execution in a listening service. The upside, if there is any, is that Telnet shouldn’t be enabled in 99.9% of environments (you have to except the occasional legacy system that hasn’t been replaced yet). If this affects you, make sure you apply the patch but also investigate how you can begin to phase Telnet out of your environment, especially on your Windows systems that have better remote management alternatives.  

MS15-003

Up next, we have the second vulnerability that was publicly disclosed by Google. This one is a privilege escalation in the User Profile Service, which is used for certain configurations when a user logs into a computer.  

MS15-004

The fourth update this month resolves a single vulnerability in the TS WebProxy Windows Component. This directory traversal vulnerability appears to allow for sandbox escape from restricted processes (such as those launched by Internet Explorer) to that of a regular user account. Microsoft has stated that they are aware of limited attacks targeting this vulnerability.  

MS15-005

Systems vulnerable to MS15-005 could receive spoofed DNS and LDAP responses while connected to an untrusted network, which would allow the domain-policy to be applied, treating the network as trusted and possibly reducing the security controls in place. This update forces mutual authentication via Kerberos before the domain-policy can be applied therefore mitigating the vulnerability. Due to the complexity of the required changes to apply this fix to Server 2003, it will remain in a vulnerable state and an update to MS15-005 will not be made available.  

MS15-006

The vulnerability fixed by MS15-006 is interesting in that the attacker must already have administrative access to the system. An attacker in that position could exploit a vulnerability in Windows Error Reporting to view the memory of protected processes in an attempt to gather additional credentials.  

MS15-007

The penultimate patch this month resolves a denial of service within the RADIUS implementation in the Network Policy Server. A specially crafted username sent to an IAS or NPS service could cause the denial of service, which would prevent future authentication against the service.  

MS15-008

The final patch this month resolves an issue with kernel-mode drivers on the Windows operating system. Normally, when we see mention of kernel-mode drivers, we expect to see reference to Win32k.sys; this month, however, the update resolves a vulnerability in the WebDAV kernel-mode driver (mrxdav.sys). An attacker could escalate their privileges in such a way that they could intercept WebDAV requests and redirect the requests to malicious files.  

Additional Information

Adobe has released updates for Flash (APSB15-01[1]) today. Since we have a Flash update, we also have an update for Microsoft Security Advisory 2755801[2]. As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.   Ease of Use (published exploits) to Risk Table

  [1] http://helpx.adobe.com/security/products/flash-player/apsb15-01.html [2] http://technet.microsoft.com/en-ca/security/advisory/2755801