It's that time of the month again, when Microsoft scrambles to plaster over the latest crop of vulnerabilities in Windows and Internet Explorer.
The first Patch Tuesday of 2015 brings eight security updates, one of which is rated Critical in severity, while the rest are rated Important.
The Critical patch (MS15-002) addresses a vulnerability in the Telnet server component of Windows that can allow an attacker to execute code remotely by sending specially crafted packets to the Telnet port.
Mind you, most Windows systems aren't running the Telnet server. It comes installed but not enabled by default on Windows Server 2003. It also ships as an option for Windows Vista and later, but it must be explicitly installed via the "Turn Windows features on or off" control panel.
The rest of January's patches (which paying customers were tipped off about) aren't considered to be as urgent as the Telnet flaw, but they address a range of serious issues ranging from privilege elevation to bypassing security features and denial of service.
Two of the patches plug a pair of privilege escalation flaws that were made public by Google's Project Zero initiative earlier this month – much to Microsoft's chagrin – including one in the Windows Application Compatibility cache (MS15-001) and another in the User Profile Service (MS15-003).
The other fixes address bugs that were privately disclosed to Microsoft, affecting such subsystems as Network Location Awareness (MS15-005), Windows Error Reporting (MS15-006), and Network Policy Server (MS15-007), in addition to other Windows components and drivers (MS15-004, MS15-008).
In an almost shocking twist, this was the first Patch Tuesday in many months that didn't bring with it multiple security fixes for Internet Explorer. While Redmond did issue an IE patch, it's just an update to an earlier, dodgy patch that reportedly caused browser crashes and other issues for some users.
IE users will want to be sure to install another patch roll-up on Tuesday, too, but this one isn't actually Microsoft's fault. No, it's to plaster over the nine new security vulnerabilities that Adobe has spotted in its Flash Player and AIR runtime software.
The bugs affect users on Windows, OS X, and Linux, and include six remote code execution flaws, an issue with improper file validation, and a bug that could leak memory addresses that could allow an attacker to wreak further mischief.
Microsoft has posted a patch that fixes the built-in version of Flash that ships with IE10 and 11, which is available now along with the other Patch Tuesday fixes via Windows Update. Expect a fix for Chrome's built-in version of Flash to arrive shortly. Users of other browsers, on the other hand, should either get the patch via the Flash Player auto-update mechanism, or else download the latest version from the Adobe Flash Player Download Center. ®