Wednesday, January 14, 2015

Microsoft patch a vulnerability in the telnet and concerns raised by Google – dobreprogramy

Microsoft has just released the latest patches for Windows and its other software that we strongly recommend to install – among them is the package that patch very serious security hole type 0-day face, and then publicized by experts from Google.

Recent Tuesday’s update was a total of eight security patches, one marked as critical, others as important. The first labeled MS15-002 concerns the possibility of sending a specially crafted packet Telnet server that will allow you to bypass security and remote execution of malicious code. As a result, it is possible to not only increase the powers, but for example. The execution of the attack denial of service. The problem is very serious, on the other hand, refers to a few users, because as far as Telnet can be found in eg. Windows Server 2003 or Windows Vista and later versions of the system, it is disabled by default in them.

In recent times, loud thing turned out to be 0-day vulnerability discovered by Google employees within their group Project Zero, which deals with searching for vulnerabilities in third-party software. The rules adopted by it are very restrictive: threatening the security bugs are reported to the manufacturer, and if he will not release the appropriate patches within 90 days after their discovery, the problem will be shown to the public. That’s how it was this time, as indeed for Microsoft seriously Google criticized – by Christa Betz with Microsoft Security Response Center, Google has been advised that the patch is being developed and asked her not to publish information about this threat.

It is difficult to give a clear judgment on the – on the one hand, 90 days is very much like a threat to high-risk (remember that by this vulnerability in an unauthorized manner, you can run your own processes with administrator privileges), with the other hand, such problems often require a lot of time and work, and yet Google is not famous for its special flexibility and cooperation with companies, which reports errors. It can be assumed that in this case it is unwise action of these two companies. The most important thing that Microsoft thanks the announcement, however, reacted to the problem and issued a patch labeled MS15-001 and MS15-003, which removes it.

Other amendments concern the errors that have not already been made public. Pack MS15-005 is associated with an error in the Network Location Awareness subsystem, another marked MS15-006 patch a vulnerability in so liked by the users of the system error reporting mechanism, and MS15-007 is responsible for improving the safety of the Network Policy Server component. The other two MS15-004 and MS15-008 packages are in turn responsible for the amendments in the other components of the system, and integrated in the drivers. Interestingly, this time to meet with many poprawami for Internet Explorer – for nine security vulnerabilities and the corresponding software Adobe Flash Player and AIR runtime. This fix is ​​now available and patch Flash’s built-in browser IE10 and IE11.

By the way, the issue of new security bulletins it is worth recalling that Microsoft recently decided to radically change the policy to share information about them. Until now, the announcement of future patches were published a few days in advance of the service Advance Notification Service (ANS) and allowed to thoroughly read what this was discovered in the system. Since the beginning of January, but it looks different and receive access to the announcement only persons or organizations that pay for it, eg. As part of the Microsoft Active Protections Program. This obscures the quality of the software developed by Microsoft, but home users will not be able to do anything about it, just turn your eyes towards the other alternatives.

LikeTweet

No comments:

Post a Comment