Microsoft Subnet An independent Microsoft community View more

January 2015 Patch Tuesday: Microsoft releases 1 critical, 7 important security fixes

Microsoft released eight security bulletins for January 2015 after Redmond started the year off as jerks by changing its Advanced Notification Service (ANS) so it is only available if you pay to be a 'premium' customer.

Windows security patches
Credit: Open Clips

You may have paid for your version of Windows, but Microsoft doesn’t think you deserve Redmond’s Advanced Notification Service (ANS) unless you pay more to be a “premium” customer. Although that might be great as soon as the world no longer runs on Microsoft, for right now it seems like Microsoft “evolving” its security practices is an uber-jerk move that it will affect billions of users worldwide running various flavors of Windows.

“While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically,” wrote Microsoft Security Response Center senior director Chris Betz. “Moving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and web page.”

Too bad so sad if Microsoft pushes out an emergency patch, as unless you pay for the privilege, you will be flying blind; Microsoft will not provide advance notification – only the patch to plug yet another security hole in its software.

If you don’t shell out even more money to Microsoft, then the best the company will offer you is “myBulletins,” a useless tool for the big picture of security as it only shows you security bulletins that apply to your system. “As our customers’ needs change, so must our approach to security,” Betz said. “We remain relentless in our commitment to protect customers and the ongoing delivery of secure computing experiences.”

Oh really? Because the evolution of Microsoft’s “commitment to protect customers” did not include pushing out a patch that it had ready before its precious monthly Patch Tuesday. Then the company is irked when Google publicly disclosed the Windows 8.1 Elevation of Privilege (EoP) flaw that it had privately reported to Microsoft back in October.

Google isn’t cleaning up its own house as it refused to patch Android 4.3 or older platforms – affecting 60% of pre-KitKat Android users, meaning over 930 million people with pre-4.4 WebView on Android devices. Put another way, Google’s decision not to patch puts nearly a billion Android users “in danger of being targeted by cyber attackers exploiting vulnerabilities in WebView.”

Yet regarding the Microsoft vulnerability, Google reasoned that its 90 day disclosure window had passed; its refusal to wait 92 days for the patch to be pushed out could be interpreted as inflexible. As Peter Bright of Ars Technica pointed out, both tech giants sticking to their own policies have nothing to do with benefiting users.

Of course Microsoft freaked out after Google went public with the flaw; Betz claimed, “Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result.” He added, “Microsoft has a responsibility to work in our customers’ best interest to address security concerns quickly, comprehensively, and in a manner that continues to enable the vast ecosystem that provides technology to positively impact peoples’ lives.”

Riiight…unless it comes to fixing a zero-day flaw with an out-of-band emergency patch because of its rigid Patch Tuesday timeline. As for comprehensively addressing security concerns, Microsoft decided such comprehensive security access of ANS, that used to be free, now requires a fee.

That may or may not imply that nothing with Microsoft will be free, despite rumors that a Windows 10 upgrade might be free for some users. It still seems stupid that Microsoft thinks it can skip Windows 9 to place distance between it and the disastrous Windows 8. But hey, it seems like Redmond is applying that same logic to its web browser. Can so much hate for Internet Explorer be dispelled by the new browser Spartan that will come as part of Windows 10?

Neowin reported, “Spartan will be the browser across all of your Microsoft devices, from Windows 10 Mobile (Windows Phone) to Windows 10, and eventually onto your Xbox; this is Microsoft's new Modern browser. And because Modern apps now work on the desktop in Windows 10, Spartan could very well be your choice of replacement for Internet Explorer.”

Microsoft will likely tell us more during its Windows 10 press even on the 21st.

1 critical, 7 important Microsoft patches in Jan. 2015

Here are Microsoft’s eight security bulletins for January 2015.

Only MS15-002 is rated as critical; it patches a privately reported RCE vulnerability in Windows Telnet service, which could allow remote code execution.

The remaining seven are rated as important.

Four deal with elevation of privilege vulnerabilities. MS15-001 fixes a publicly disclosed EoP vulnerability in Microsoft Windows application compatibility cache. MS15-003 patches a publicly disclosed EoP vulnerability in Microsoft Windows user profile service. MS15-004 closes the hole in a privately reported EoP vulnerability in Windows components. MS15-008 squashes one privately reported EoP vulnerability in Microsoft Windows.

MS15-005 patches a privately reported bug in Windows network location awareness service that could “allow security feature bypass by unintentionally relaxing the firewall policy and/or configuration of certain services when an attacker on the same network as the victim spoofs responses to DNS and LDAP traffic initiated by the victim.”

MS15-006 fixes a privately reported vulnerability in Windows Error Reporting, which “could allow security feature bypass if successfully exploited by an attacker.”

MS15-007 closes a hole in the privately reported vulnerability in Windows; if left unpatched, “could allow denial of service on an Internet Authentication Service (IAS) or Network Policy Server (NPS) if an attacker sends specially crafted username strings to the IAS or NPS.”

Happy patching!

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.