Tuesday, January 13, 2015

Microsoft Security Bulletin Release for January, 2015


Microsoft released eight (8) bulletins.  One (1) bulletin is identified as Critical and the remaining seven (7) are rated Important in severity.

The updates address 8 unique Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows   MS15-001 and MS15-003 have been publicly disclosed.  Details about the CVEs can be found in the below-referenced TechNet Security Bulletin.

Important Note:  
Although it was officially released in May, 2014, non-Security updates include the release of .NET Framework 4.5.2 to Automatic Updates, WSUS, and Catalog.

Because many people have problems with .NET updates, it is strongly recommended that they be installed separately from other updates with a shutdown/restart.

Critical:
  • MS15-002 -- Vulnerability in Windows Telnet Service Could Allow Remote Code Execution (3020393)

Important:
  • MS15-001 -- Vulnerability in Windows Application Compatibility Cache Could Allow Elevation of Privilege (3023266)
  • MS15-003 -- Vulnerability in Windows User Profile Service Could Allow Elevation of Privilege (3021674)
  • MS15-004 -- Vulnerability in Windows Components Could Allow Elevation of Privilege (3025421)
  • MS15-005 -- Vulnerability in Network Location Awareness Service Could Allow Security Feature Bypass (3022777)
  • MS15-006 -- Vulnerability in Windows Error Reporting Could Allow Security Feature Bypass (3004365)
  • MS15-007 -- Vulnerability in Network Policy Server RADIUS Implementation Could Cause Denial of Service (3014029)
  • MS15-008 -- Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (3019215)

Security Bulletin MS14-080 Cumulative Security Update for Internet Explorer was re-released.  Also note the following additional information:
  1. Information on non-security update information can be found in KB 894199.
  2. Outdated ActiveX control blocking will be added to Windows Vista SP2 and Windows Server 2008 SP2.  See the TechNet article, Out-of-date ActiveX control blocking and the IE Blog for information on what this entails.
  3. For those interested in determining specific updates applicable to their operating system, see myBulletin.

Additional Update Notes

  • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 

    The updated version includes the Win32/Emotet and Win32/Dyap malware families.  Additional details ave available in the MMPC blog post.

  • Internet Explorer -- For additional information about the blocking of out-of-date ActiveX controls see the TechNet article, Out-of-date ActiveX control blocking.  Additional changes introduced this month include the blocking of outdated Silverlight.  Additional information is available in the IE Blog.

  • Windows 8.x -- Non-security new features and improvements for Windows 8.1 are now included with the second Tuesday of the month updates.  Additional information about this change is available here.

  • Windows XP -- Although Microsoft has stopped providing Microsoft Security Essentials for Windows XP, definitions will be available until July 15, 2015.  See Microsoft antimalware support for Windows XP.  The MSRT still works on Windows XP.

References




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...






    No comments: