icetray - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Microsoft patches one critical flaw, rolls out new notification process

January saw a light Patch Tuesday, but Microsoft's move to discontinue its advance notification service has rankled security researchers.

Windows Server admins will be busy implementing the security updates in the first Patch Tuesday of 2015, and they'll notice some new changes as they update.

There are eight bulletins in this Patch Tuesday cycle. Only one is marked as critical; seven are important.

The critical bulletin addresses a remote code execution vulnerability in the Windows Telnet Service. The vulnerability could be exploited if users open malicious packets sent to affected Windows Server systems.

Despite being marked critical, customers who enable Telnet are the only ones who are vulnerable, Microsoft said. Telnet is available on Windows Server 2003 but isn't enabled by default. It isn't installed by default on Windows Vista or later operating systems.

The important security fixes address a number of vulnerabilities in Microsoft services.

One important fix for security bypass feature vulnerabilities is for the Network Location Awareness Service in all supported versions of Windows. The vulnerability could be exploited if end users inadvertently relax firewall policies or service configurations when attackers spoof responses to the end users' LDAP and DNS traffic on the network. Another security bypass feature vulnerability fix is for Windows Error Reporting in all supported versions of Windows.

Another important fix addresses a denial of service vulnerability in a Network Policy Server (NPS) and Internet Authentication Service (IAS) in all supported versions of Windows Server. The vulnerability could be exploited if attackers send malicious username strings to the NPS or the IAS, which could prevent RADIUS authentication from occurring on either the NPS or the IAS.

"Depending on how it's used, it could be quite problematic," said Wolfgang Kandek, CTO of Qualys, Inc., a cloud security and compliance software provider based in Redwood Shores, Calif.

While attackers can't take full control of the servers using this vulnerability, "taking down a Windows Server has a pretty high impact," said Amol Sarwate, vulnerability labs manager for Qualys.

Two important fixes address elevation of privilege vulnerabilities for Windows Components and Windows Kernel-Mode Driver in multiple supported versions of Windows. There are also important fixes for elevation of privilege vulnerabilities in the Windows Application Compatibility Cache in multiple versions of Windows and the Windows User Profile Service in all supported versions of Windows.

The complete list of this month's security fixes and affected software can be found on Microsoft's Security TechCenter site.

Microsoft spurns advance notifications

This is the first month Microsoft used a new method to deliver Patch Tuesday security bulletins. The company now uses the myBulletins program to provide customers with reports that can be tailored to meet their personal or organizational preferences.

"For us, this is certainly bad," Kandek said. "Qualys, as a company, we believe the advance notifications should continue."

Kandek continued, noting that customers' scheduled workloads around the advance notification cycle.

"More transparency should be the way this should go," Kandek said. "Generally, I think this is going in the wrong direction."

Microsoft cited customers' changing habits as the reason to end the general availability of advanced security notifications. These notifications will continue only for organizations involved in Microsoft's security program or customers in the Premier category, the company said.

Dig Deeper on Windows Server troubleshooting