System administrators will be relieved to know that the first Patch Tuesday of 2015 is a relatively light one from Microsoft, with only eight bulletins and eight CVEs, all of which affect the core Windows OS.
Most notably, there are no patches for Internet Explorer – a rarity for Microsoft, which is usually forced to issue updates each month for multiple IE flaws.
“While there are a lot of updates, they all apply to the core Windows OS without the need to worry about the difficult patching often associated with Microsoft's other products. The lack of IE and .NET bulletins aids the small patch drop this month,” explained Tyler Reguly, security researcher at Tripwire.
“While there are plenty of patches for Server 2003 this month, which is considered EOL in 6 months, it's more interesting to note that MS15-001 and MS15-006 only affect modern Windows operating systems.”
The one critical vulnerability, CVE-2015-0014, affects the Telnet service and could cause remote code execution. However, as Telnet is only installed by default in Windows 2003 and is not even enabled on that OS version it will not affect a huge number of machines around the globe.
The other seven patches address ‘important’ flaws which could cause elevation of privilege, denial of service, and security feature bypass problems.
They include patches MS15-01 and MS15-03, for two elevation of privilege flaws which Google infamously made public before yesterday’s Microsoft security update round because Redmond had failed to patch them within the strict 90-day deadline set by Project Zero.
A war of words followed between the two computing giants and commentators have argued the case for both – on the one side that Google should have been more flexible and collaborative and on the other that Microsoft was dragging its heels and needed a ‘fire lighting under it.’
“It’s amusing to note, if this sort of thing amuses you, that MS15-001 and MS15-003 confirm that the vulnerability is public, but under acknowledgements simply state ‘Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure’,” noted Rapid7 senior manager of security engineering, Ross Barrett.
It seems that this very public spat between Microsoft's and Google’s security teams might linger well into 2015.
Another controversial strand to this month’s Patch Tuesday story is that it’s the first since Microsoft made the controversial decision to take its Advanced Notification System (ANS) private, save for Premier customers.
“It is extremely hard to see how this benefits anyone, other than maybe who is responsible for support revenue targets for Microsoft,” said Barrett.
“What this means is that the world at large is getting their first look at understandable information about this round of patches 30 minutes after the automatic updates to fix those patches were triggered by Microsoft. Assuming you have automatic updates set to almost constant checking, and the affected platforms are supported by automatic patching, you might already be patched.”