Happy New Year and welcome to the first Microsoft Patch Tuesday of 2015. This year's January release is twice the size last year's with eight bulletins total. One is rated "Critical" and the other seven are marked "Important".
The month's release is notable for patching two vulnerabilities released as zero days by Google. Both vulnerabilities were privilege elevation vulnerabilities in Windows. Google released the first vulnerability on December 29 and the second one on January 11 complete with Proof of Concept (PoC) exploit code.
Why didn't Google wait until today to release the vulnerability details? The vulnerabilities were disclosed under Google's new Project Zero vulnerability disclosure policy. The policy dictates that a vendor will get 90 days to patch a vulnerability after Google discloses it to them. If the vendor doesn't have a patch or workaround ready in that time Google will automatically disclose.
This process is generally known as Coordinated Vulnerability Disclosure, where an organization works closely with a vendor to make sure that security vulnerabilities are patched before criminals exploit them. It's important for Google, as the organization reporting the vulnerability, to be flexible and understand the difficulties of patch development. Bugs embedded deep in an operating system's architecture will take longer to patch than a minor filtering issue in an application. As Microsoft notes in their response to the disclosure, "Responding to security vulnerabilities can be a complex, extensive and time-consuming process."
Still, 90 days should be more than enough time to fix all but the most difficult bugs. If there is a reason to not have a fix in 90 days, it better be a good and very detailed reason with a new deadline set in cement. There's an important reason for these disclosure deadlines. If the "good guys" are finding this vulnerability, there's good reason to think that criminals have found it too. Sometimes sticking to your deadlines is the only way to light a fire under an organization and actually get them to take the vulnerability seriously.
In the end Coordinated Vulnerability Disclosure should be just that; Coordinated. Unfortunately what should be a collaboration between the vendor and the disclosing organization often ends up being a power struggle with one side or the other pushing a little too hard.
Vulnerability in Windows AppCompatCache could allow Elevation of Privilege
This security update resolves a vulnerability in Microsoft Windows that could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An authenticated attacker who successfully exploited this vulnerability could bypass existing permission checks that are performed during cache modification in the Microsoft Windows Application Compatibility component and execute arbitrary code with elevated privileges.
More details can be found here: https://code.google.com/p/google-security-research/issues/detail?id=118
Vulnerability in Windows Telnet Service Could Cause Remote Code Execution
This security update resolves a vulnerability in Microsoft Windows that could allow remote code execution if an attacker sends specially crafted packets to an affected Windows server. By default, Telnet is not installed on any affected operating system releases. Only customers who manually install this service are likely to be vulnerable.
Vulnerability in Windows User Profile Service could allow Elevation of Privilege
This security update resolves a vulnerability in the Microsoft Windows that could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. A local attacker who successfully exploited this vulnerability could run arbitrary code on a target system with elevated privileges. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerability.
More details can be found here: https://code.google.com/p/google-security-research/issues/detail?id=123
Vulnerability in Windows Components Could Allow Elevation of Privilege
This security update resolves a vulnerability in Microsoft Windows that could allow elevation of privilege if an attacker convinces a user to run a specially crafted application. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Vulnerability in NLA Could Allow Security Feature Bypass
This security update resolves a vulnerability in Microsoft Windows that could allow security feature bypass by unintentionally relaxing the firewall policy and/or configuration of certain services. An attacker on the same network as the victim could spoofs responses to DNS and LDAP traffic initiated by the victim.
Vulnerability in WER could Allow Security Feature Bypass
A security feature bypass vulnerability exists in Windows Error Reporting (WER) that allows administrative users to view the memory contents of processes protected by "Protected Process Light." "Protected Process Light" inhibits debugging of critical system processes by arbitrary users on the system, even administrative users. An attacker who successfully exploited this vulnerability could access the memory of a running process protected by "Protected Process Light."
"Protected Process Light" is designed to help mitigate attack scenarios where a malicious user already has administrative access and is trying to gather additional credentials in order to facilitate lateral attacks against other systems.
Vulnerability in Network Policy Server RADIUS Could Cause Denial of Service
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service on an Internet Authentication Service (IAS) or Network Policy Server (NPS) if an attacker sends specially crafted username strings to the IAS or NPS. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate user rights; however, it could prevent RADIUS authentication on the IAS or NPS.
Vulnerabilities in Windows Kernel Mode Drivers Could Allow Elevation of Privilege
An elevation of privilege vulnerability exists in the WebDAV kernel-mode driver (mrxdav.sys) when it fails to properly validate and enforce impersonation levels. An attacker who successfully exploited this vulnerability could bypass impersonation-level security and gain elevated privileges on a targeted system. This could allow them to intercept WebDAV requests for files from any server (including corporate SharePoint sites) and redirect those file requests to return any, potentially malicious, files of the attacker's choosing. The update addresses the vulnerability by correcting how the Windows kernel-mode driver validates impersonation levels.