5 replies to this topic

[AplusWebMaster]

FYI...

- https://technet.micr...curity/ms15-jan
Jan 13, 2015 - "This bulletin summary lists security bulletins released for January 2015...
(Total of -8-)

Microsoft Security Bulletin MS15-001 - Important
Vulnerability in Windows Application Compatibility Cache Could Allow Elevation of Privilege (3023266)
- https://technet.micr...curity/MS15-001
Important - Elevation of Privilege - Requires restart- Microsoft Windows

Microsoft Security Bulletin MS15-002 - Critical
Vulnerability in Windows Telnet Service Could Allow Remote Code Execution (3020393)
- https://technet.micr...curity/MS15-002
Critical - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS15-003 - Important
Vulnerability in Windows User Profile Service Could Allow Elevation of Privilege (3021674)
- https://technet.micr...curity/MS15-003
Important - Elevation of Privilege - May require restart - Microsoft Windows

Microsoft Security Bulletin MS15-004 - Important
Vulnerability in Windows Components Could Allow Elevation of Privilege (3025421)
- https://technet.micr...curity/MS15-004
Important - Elevation of Privilege - May require restart - Microsoft Windows

Microsoft Security Bulletin MS15-005 - Important
Vulnerability in Network Location Awareness Service Could Allow Security Feature Bypass (3022777)
- https://technet.micr...curity/MS15-005
Important - Security Feature Bypass - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS15-006 - Important
Vulnerability in Windows Error Reporting Could Allow Security Feature Bypass (3004365)
- https://technet.micr...curity/MS15-006
Important - Security Feature Bypass - May require restart - Microsoft Windows

Microsoft Security Bulletin MS15-007 - Important
Vulnerability in Network Policy Server RADIUS Implementation Could Cause Denial of Service (3014029)
- https://technet.micr...curity/MS15-007
Important - Denial of Service - May require restart - Microsoft Windows

Microsoft Security Bulletin MS15-008 - Important
Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (3019215)
- https://technet.micr...curity/MS15-008
Important - Elevation of Privilege - Requires restart - Microsoft Windows
___

- http://blogs.technet...15-updates.aspx
Jan 13, 2015 - "... We re-released one Security Bulletin:
- MS14-080 Cumulative Security Update for Internet Explorer
> https://technet.micr...curity/MS14-080 *
One Security Advisory was revised:
- Update for Vulnerabilities in Adobe Flash Player in Internet Explorer (2755801)
> https://technet.micr...ty/2755801.aspx ..."

 

*   V1.0 (December 9, 2014): Bulletin published.
    V2.0 (January 13, 2015): To address issues with Security Update 3008923, Microsoft re-released MS14-080 to comprehensively address CVE-2014-6363. In addition to installing update 3008923, customers running Explorer 10 on Windows 8, Windows Server 2012, or Window RT should also install update 3029449, which has been added with this rerelease. Customers who have already successfully installed the 3008923 update, which has not changed since its original release, do -not- need to reinstall it. See Microsoft Knowledge Base Article 3008923** for more information.
** https://support.micr....com/kb/3008923
Last Review: Jan 13, 2015 - Rev: 8.0
Last Review: Jan 14, 2015 - Rev: 9.0

Office Updates
- http://blogs.technet...ed_engineering/
___

- http://www.securityt....com/id/1031527 - MS15-001
- http://www.securityt....com/id/1031523 - MS15-002
- http://www.securityt....com/id/1031528 - MS15-003
- http://www.securityt....com/id/1031524 - MS15-004
- http://www.securityt....com/id/1031529 - MS15-005
- http://www.securityt....com/id/1031530 - MS15-006
- http://www.securityt....com/id/1031532 - MS15-007
- http://www.securityt....com/id/1031531 - MS15-008
___

ISC Analysis
- https://isc.sans.edu...l?storyid=19179
2015-01-13 - 18:26:14 UTC
.

Edited by AplusWebMaster, 14 January 2015 - 12:13 AM.

[AplusWebMaster]

FYI...

Relief for botched Excel patch/fixes for KB 2553154, 2726958 -missing- from January patch-Tuesday
... included a patch-of-a-patch-of-a-patch, but -lacked- several crucial fixes
- http://www.infoworld...26958-botc.html
Jan 14, 2015 - "... On Tuesday Microsoft released its crop of patches for January, including the following:
    A -new- MS14-080 / KB 3029449, which is an Internet Explorer cumulative rollup re-release of the old MS14-080 / KB 3008923, which was one of the botched-hangover-patches from December. Note the change in KB number. In certain circumstances (which I describe below) you may need to install -both- patches.
    A "critical" patch, MS15-002 / KB 3020393, for Telnet, which is a communication protocol that's 45 years old - and rarely used on modern Windows desktops. That's the -only- critical patch this month; all the others are "Important."
    A fix, MS15-003 / KB 3021674, for the zero-day User Profile Services escalation that was publicly (and controversially) reported by Google on Sunday, Jan. 11. This isn't a critical flaw in Windows because it entails escalation of privilege - elevating your session to Admin mode. In order to exploit the flaw, the miscreant has to be in the computer already.
    A fix for the other zero-day bug, ahcache.sys/NtApphelpCacheControl, which Google publicly disclosed on Dec. 29. That's MS15-001 / KB 3023266.
Here's what we -didn't- get on Tuesday:
    A fix for the badly botched MS14-082 / KB 3017349 Office patch, which clobbers Excel ActiveX in Office 2007, 2010, and 2013, as reported on Dec. 11. There's even a newly reported problem, where default naming of controls gets all screwed up. The three component patches - KB 2726958 for Office 2013, KB 2553154 for Office 2010, and KB 2596927 for Office 2007 - are -still- being offered via Automatic Update. If you create or distribute Office macros, Microsoft continues to screw up your programs, rolling the poison pill out the Automatic Update chute. It's still way too early to tell if there are additional problems with this month's patches. I fully expect the Windows Kernel Mode driver patch, MS15-008 / KB 3019215 will figure prominently in due course, simply because Kernel Mode driver patches always seem to cause trouble.
Here's what's happening with the re-released (but differently numbered) MS14-080 patch... This gets messy. The original MS14-080 / KB 3008923 IE rollup had all sorts of bugs. Microsoft issued a patch, KB 3025390, to fix the problems but it, in turn, caused even more problems (see the comments to my InfoWorld article). In addition, Microsoft discovered that the original KB 3008923 didn't fix a VBScript security hole, known as CVE-2014-6363. So this month, Microsoft issued an update to MS14-080 called KB 3029449 that specifically addresses the VBScript hole. As the KB 302449 article puts it:
    This package contains the VBScript 5.8 updates that are intended for Internet Explorer 10 in a Windows 8 or Windows Server 2012 environment. Install this update and the December cumulative security update for Internet Explorer.
MS14-080 now includes these bafflegab instructions:
    To address issues with Security Update 3008923, Microsoft re-released MS14-080 to comprehensively address CVE-2014-6363. In addition to installing update 3008923, customers running Internet Explorer 10 on Windows 8, Windows Server 2012, or Window RT should also install update 3029449, which has been added with this rerelease. Customers who have already successfully installed the 3008923 update, which has not changed since its original release, do not need to reinstall it. See Microsoft Knowledge Base Article 3008923 for more information.
It isn't at all clear if the new version of MS14-080 includes -fixes- for the problems introduced by the old MS14-080, and/or the problems introduced by KB 3025390, which was -supposed- to solve those original MS14-080 problems..."
* http://www.infoworld...kb-3008923.html
 

Edited by AplusWebMaster, 15 January 2015 - 08:20 AM.

[AplusWebMaster]

FYI...

MS finally solves big problems with Surface Pro 3
- http://www.infoworld...face-pro-3.html
Jan 21, 2015 - "Judging by many comments on the Microsoft Answers forum and elsewhere, Microsoft's Jan. 15 firmware update* for the Surface Pro 3 has solved almost all outstanding issues with Wi-Fi connections, hibernating, Bluetooth connectivity, battery drain on standby, Hyper-V interference with Wi-Fi, and more... It now appears that the Surface Pro 3 is relatively glitch-free and ready for the big time. That's a big step up from the problems we've seen with the last -nine- firmware patches."
(More detail at the infoworld URL above.)
* http://blogs.technet...ce-devices.aspx
 

[AplusWebMaster]

FYI...

Microsoft Security Advisory 2755801
Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
- https://technet.micr...ecurity/2755801
V35.0 (Jan 22, 2015): Added the 3033408 update to the Current Update section...
"... Affected Software: This advisory discusses the following software.
Windows 8 for 32-bit Systems / Adobe Flash Player in Internet Explorer 10
Windows 8 for 64-bit Systems / Adobe Flash Player in Internet Explorer 10
Windows Server 2012 / Adobe Flash Player in Internet Explorer 10
Windows RT / Adobe Flash Player in Internet Explorer 10
Windows 8.1 for 32-bit Systems / Adobe Flash Player in Internet Explorer 11
Windows 8.1 for 64-bit Systems / Adobe Flash Player in Internet Explorer 11
Windows Server 2012 R2 / Adobe Flash Player in Internet Explorer 11
Windows RT 8.1  / Adobe Flash Player in Internet Explorer 11
... The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10 and Internet Explorer 11..."

[Link: https://support.micr....com/kb/3033408 ]
 

Edited by AplusWebMaster, 22 January 2015 - 04:42 PM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory 2755801
Update for Vulnerabilities in Adobe Flash Player in IE 10/11
- https://technet.micr...ecurity/2755801
Updated: Jan 27, 2015
V36.0 - "... The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10 and Internet Explorer 11..."
> https://support.micr....com/kb/3035034
___

- https://helpx.adobe..../apsb15-03.html
Jan 27, 2015
CVE-2015-0312: https://cve.mitre.or...e=CVE-2015-0312
 "... Adobe is aware of reports that CVE-2015-0311 is actively being exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below. Adobe recommends users update their product installations to the latest versions:
- Users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 16.0.0.296.
- Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.264.
- Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.440.
- Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to version 16.0.0.296.
> Affected software versions:
Adobe Flash Player 16.0.0.287 and earlier versions
Adobe Flash Player 13.0.0.262 and earlier 13.x versions
Adobe Flash Player 11.2.202.438 and earlier versions for Linux..."
___

- http://www.securityt....com/id/1031635
CVE Reference: https://cve.mitre.or...e=CVE-2015-0312
Jan 27 2015
 

[AplusWebMaster]

FYI...

Microsoft Security Advisory 2755801
Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
- https://technet.micr...ecurity/2755801
Updated: Feb 5, 2015 - V37.0
"Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer on all supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10 and Internet Explorer 11...
- https://support.micr....com/kb/3021953
Last Review: Feb 5, 2015 - Rev 1.0