This is Greg Blaum again with the Microsoft Patch Tuesday newsletter for January 2015.
Welcome to 2015 and the first Patch Tuesday update of the new year. We kick off the new year with an important change from Microsoft regarding their Patch Tuesday notifications. On January 8, 2015, Microsoft announced that they are changing the Advance Notification System. The most critical piece of this news is that the distribution of Microsoft’s ANS will only be to their Premier customers and organizations in their security programs such as the Microsoft Active Protections Program. Microsoft is discontinuing the wide public distribution of ANS through blog posts, web pages, and email subscriptions. If you were a member of the ANS, you may have noticed that you did not receive an advance email for the January 2015 patches. Intel Security is a member of the Microsoft Active Protections Program, and we are dedicated to continue to provide our timely analysis of the Microsoft monthly patches.
The month Microsoft released a total of eight (8) security updates. For this month, one (1) of these is rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other seven (7) are rated Important.
Clarification of the McAfee Coverage column in the table below
Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list McAfee products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see a McAfee product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.
This month’s patches include the following:
Let’s take a closer look at each of the Microsoft Security Bulletins:
This Important update addresses a vulnerability in the Microsoft Windows Application Compatibility Infrastructure. AppCompat improperly checks the authorization of the caller’s impersonation token. An attacker would need to be logged on to an affected system and run a specially crafted application in order to exploit this vulnerability. Once exploited, the attacker could execute arbitrary code with elevated privileges. The update for this vulnerability remediates the issue by properly checking authorization of the impersonation token.
Our lone Critical update this month affects the Windows Telnet service. The vulnerability is a buffer overflow that is caused when the Telnet service improperly validates user input. In order to exploit this vulnerability, an attacker would need to send specially crafted Telnet packets to a Windows machine running the Telnet service. If the attack is successful, the attacker could potentially execute arbitrary code on the affected target machine. Note that the Telnet service is not installed and enabled by default on most versions of Windows. Only machines with the Telnet service installed and running (and unpatched) are vulnerable.
This security update resolves a vulnerability in the Windows User Profile Service (ProfSvc). Registry hives associated with other user accounts could be loaded by an authenticated attacker, who could potentially gain the capability to also execute programs with elevated permissions. It is important to note that an attacker must have valid logon credentials, be able to logon locally to an unpatched machine and get authenticated in order to potentially exploit this vulnerability.
This security update resolves an elevation of privilege vulnerability in the way the TS WebProxy Windows component sanitizes file paths.
An attacker would need to take advantage of an existing vulnerability in Internet Explorer and convince a user to download a specially crafted application. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.
Typically, we would see the exploitation of this vulnerability be combined with another remote code execution vulnerability. For this vulnerability, attackers could gain the same user rights as the currently logged on user. If the currently logged on user is an administrative user, the attacker would have the capability to install or remove programs, make system-wide changes, add bogus user accounts, etc.
This reinforces a security best practice of not operating with administrative permissions, as users configured with fewer rights will likely have less exposure.
Here we have a security feature bypass vulnerability in the Network Location Awareness (NLA) service. This vulnerability could unintentionally relax the Windows firewall policy and/or allow changes to be made to the configuration of certain Windows services.
Primary concern for this particular vulnerability would reside with domain-connected computers that connect to untrusted networks such as a user’s home network or a public wi-fi location. An attacker must be connected to the same network as the victim’s computer in order to exploit this vulnerability. An attacker residing on the same untrusted network would spoof responses to DNS and LDAP traffic that is initiated by an unpatched system. The patch resolves this vulnerability by forcing mutual authentication via Kerberos.
This vulnerability is a security feature bypass that exists in Windows Error Reporting (WER). A technique known as “Protected Process Light” inhibits the debugging of critical system processes by users, including administrative users. An attacker can potentially bypass this security feature and gain access to the memory of a running process. Please note that an attacker must possess valid logon credentials and be able to log on locally in order to exploit this vulnerability. This patch addresses the mechanism that Windows Error Reporting (WER) uses to interact with running processes.
Here we have a denial of service vulnerability in the Internet Authentication Service (IAS) or Network Policy Server (NPS). An unauthenticated attacker can craft special username strings and send them to the Internet Authentication Service (IAS) or Network Policy Server (NPS). An attacker would not gain the capability to execute code or get information from the affected server. But by exploiting this vulnerability, an attacker could prevent RADIUS authentication requests on the Internet Authentication Service or Network Policy Server (NPS) machine.
Lastly, this security update resolves an elevation of privilege vulnerability in the WebDAV kernel-mode driver (mrxdav.sys). Because of the nature of this vulnerability, an attacker would need to first logon locally to the target system and then run a specially crafted application that exploits the vulnerability. After exploitation, the attacker can intercept incoming WebDAV requests and potentially redirect those requests to return any file that the attacker chooses. An exploited system could then be utilized as a distribution mechanism for malicious content.
NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.
Bonus Vulnerability Coverage: Just like last month, here’s a bonus vulnerability. Although not technically listed as a Microsoft Security Bulletin, Microsoft updated Microsoft Security Advisory 2755801 in January to address new vulnerabilities in the Adobe Flash Player. This only addresses the integrated Adobe Flash Player that was released as part of Internet Explorer 10 and Internet Explorer 11. Other versions of the Adobe Flash Player should be updated via the Adobe website. The Microsoft operating systems affected are Windows 8 & 8.1, Windows RT & RT 8.1, and Windows Server 2012 & 2012 R2. Because Adobe Flash content is so prevalent on the Internet and the vulnerabilities could potentially allow an attacker to take control of the affected system, this should also be considered a Critical update. Details are also available in Adobe Security bulletin APSB15-01. A McAfee Labs Security Advisory for this vulnerability will be published to the McAfee Labs Security Advisories Community site.
Windows 10 Technical Preview and Windows Server Technical Preview: Many users may be testing both the Windows 10 Technical Preview and Windows Server Technical Preview. It is important to note that many of the vulnerabilities this month affect these early preview releases of Microsoft operating systems. Users that are testing these preview releases are encouraged to apply appropriate updates to their systems by visiting Microsoft Windows Update.
Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.
The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.
Finally, these briefings are archived on the McAfee Community site.
For additional useful security information, please make note of the following links:
You can also review the Microsoft Summary for January 2015 at the Microsoft site.
Until next month…stay safe!