With Patch Tuesday January 2014 Microsoft made major change by not giving advance reports on fixes. This does not make a great difference as the advance notifications gave almost no hard information; this may have been deliberate to avoid giving cyber crooks the opportunity to exploit potential holes. However it had some value in that users knew what products were not being fixed. For example they knew that their MS Office versions were not getting any critical fixes.
Microsoft issues eight bulletins affecting only Windows. Only one of these is rated critical, a ‘vulnerability in Windows Telnet Server “ that can lead to a Remote Code Execution (RCE).Telnet is an old style internet based terminal protocol which does not even encrypt the part of the protocol where your password is presented to the server. Telnet is not enabled by default on any supported
Microsoft platform and of unsupported ones only on Server 2003. Any users still having Telnet will be well advised to remove it entirely and replace it with an encrypted alternative like SSH( Secure Shell), which will make the patch irrelevant.
Of the remaining seven fixes the more important ones are the following.
- MS 15-001 which fixes Application Compatibility Cache Elevation of Privilege bug publicized by Google in December 2014
- MS 15-003 which fixes the User Profile Service flaw which Google revealed two day before Microsoft’s announcement
Google acted under the terms of its Project zero bug finding program. Google discloses vulnerabilities found to vendors and gives them 90 days to issue fixes. If the vendor fails to do this Google publicly discloses the vulnerability with Proof of Concept (PoC) code on how exploit if this is available.
Google released proof of concept code showing how to exploit the above vulnerabilities in effect turning them into zero day. Administrators who like to do their patches in parallel may like wish to start with these two.
Adobe released patches on Flash, patching nine known vulnerabilities. These include RCE holes where your computer could get infected with malware through a malicious Flash file played in your browser. The updates are also applicable to Adobe AIR which is a standalone Flash player. AIR is rarely used but since it uses Flash code it the same security fixes that apply to Flash have to be applied.
Mozilla , which releases its patches every 42 days, rather than monthly also released its updates the same week as Microsoft. Firefox 35 has had several new features added, in addition to patches in RCE holes. Firefox follows Apple in putting its security fixes in detail on a ‘portal page’ and publishing them some time after the fixes have gone live. Several potential RCE holes have been fixed in the new releases.