Microsoft Patches Zero-Day Windows Flaws Disclosed by Google

The first patch Tuesday of 2015 includes a few surprises in what it contains and what it doesn't.


Microsoft on Jan. 13 rolled out its first Patch Tuesday update of the new year, which included eight security bulletins, with one rated as having critical severity. Among the fixed vulnerabilities is a zero-day flaw impacting Windows that was first publicly disclosed by Google on Dec. 30, 2014.

The flaw that was disclosed by Google is actually the very first security bulletin for Microsoft in 2015. The flaw, with the designation MS15-001, is rated as "important" by Microsoft.

"An elevation of privilege vulnerability exists in how the Microsoft Windows Application Compatibility Infrastructure (AppCompat) improperly checks the authorization of the caller's impersonation token," Microsoft warns in its advisory. "An attacker could attempt to exploit this to run a privileged application."

In addition to the zero-day flaw that it announced on Dec. 30, Google announced a second Windows zero-day privilege escalation vulnerability on Jan. 11, noted Karl Sigler, threat intelligence manager at Trustwave. The second bug is patched in MS15-003.

"An elevation of privilege vulnerability exists in how the Windows User Profile Service (ProfSvc) validates user privilege," Microsoft warns in its advisory. "An authenticated attacker who successfully exploits the vulnerability could leverage the Windows User Profile Service (ProfSvc) to load registry hives associated with other user accounts and potentially execute programs with elevated permissions"

Interestingly, Microsoft has not publicly acknowledged that Google was the one that discovered the vulnerabilities fixed in the MS15-001 and MS15-003 security bulletins. Both bulletins simply state, "Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure."

Microsoft has publicly disagreed with Google's policy on disclosure. Google publicly disclosed the two zero-day flaws after first waiting 90 days for Microsoft to publish a patch.

"I think there must have been a problem in the communication between Microsoft and Google because it seems that the patch was available within a quite short timeframe of the 90-day limit date," Wolfgang Kandek, CTO of Qualys, told eWEEK.

Microsoft does, however, credit James Forshaw of Google's Project Zero security research team for the MS15-008 bulletin, which is a privilege escalation flaw in the Windows WebDAV kernel-mode driver.

All three privilege escalation vulnerabilities (MS15-001,MS15-003 and MS15-008) reported by Google are rated by Microsoft as only being of "important" severity and impact. In the January Patch Tuesday update, only the MS15-002 security bulletin was given the highest security rating of "critical." MS15-002 details a vulnerability in Telnet, which is an older software technology that enables remote access.

"Telnet, an insecure means of access by any standard, is something you still might see—especially in older IT infrastructures where it may be too expensive to replace on older systems," Jon Rudolph, principal software engineer at Core Security, told eWEEK.

Qualys' Kandek noted that the Telnet vulnerability shows that even old software can still harbor new bugs. No one should really be using Telnet anymore anyways, he added. Trustwave's Sigler commented that some people might say that the presence of an open Telnet port is, in itself, a vulnerability.

"Hopefully, those still using Telnet will migrate away from its use, and network admins should be doing regular network audits in order to discover legacy services like Telnet that may have been left behind or forgotten about," Sigler said.

Internet Explorer

One technology that did not receive a patch on January's Patch Tuesday was Microsoft's Internet Explorer Web browser. Throughout 2014, IE was the single most patched Microsoft technology, which makes IE's absence in the first patch of 2015 all the more surprising. That said, even though there isn't a patch for IE this month, there is a new IE version update. Microsoft's IE 10 and 11 browsers directly integrate Adobe's Flash plug-in, which was patched today by Adobe.

"The Adobe Flash update means that IE 10 and IE 11 users at least will get an automatic update for that desktop vulnerability which Adobe has rated as critical," Kandek said.

Sigler wasn't surprised by the lack of IE patches this month, especially given Microsoft's historical trends.

"January 2014 had no vulnerabilities in IE, followed by February with 24 individual CVEs for the software," Sigler said. "If there are no patches for IE in February, then I'll be surprised."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.