Microsoft released its first security patch of 2015, and it's a relatively small one. This month features only one security bulletin rated "critical" and seven rated "important" to address a total of eight flaws for Microsoft's software and services.
The lone critical item (bulletin MS15-002) is a remote code execution (RCE) fix for all supported Windows and Windows Server versions. The privately reported flaw lies in the Telnet network protocol used to facilitate text communication through a virtual console. According to Microsoft, those that have the service enabled could be attacked if a malicious packet was sent to a Windows Server version with the Telnet service enabled. It's important to note that while installed in Windows Server 2003, the Telnet service is disabled by default. As for Windows OS, the service must be manually downloaded and enabled in Windows Vista and later versions.
While the bulletin is designated the highest severity level from Microsoft, those that may be affected are a small group, according to Qualys CTO Wolfgang Kandek. "If you run the Microsoft Telnet server this is your top vulnerability this month, especially if exposed to the Internet. At Qualys we do not see many people using Telnet in general, so this vulnerability should be fairly sparse," wrote Kandek in an e-mailed statement.