Today is the year’s first Patch Tuesday, and while Microsoft is only releasing four updates, there is plenty of work for IT administrators due to releases by Adobe and Oracle.
Oracle addresses 144 vulnerabilities in its Critical Patch Update (CPU) for January 2014, which is a new record for Oracle. The majority of vulnerabilities are in Java v7; remember, Java v6 has reached its end-of-life already. The Java v7 update 51 has 34 remotely exploitable fixes, with the most critical ones receiving a ranking of “10,” the maximum value on the Common Vulnerability Scoring System (CVSS) scale. Java was one of the most attacked softwares in 2013 and it will continue to be so due to its sluggish update record. It was in the news recently when attackers installed malware through advertisements on Yahoo’s homepage by abusing a Java vulnerability on the affected users’ machines. Fix this vulnerability first, and if you encounter resistance to updating Java, map out why the machines in question cannot run this this latest version.
Adobe is releasing two updates, both critical, i.e., they allow remote code execution and total control of the affected system. APSB14-01 is an update to Adobe Acrobat and Reader, with an attack vector being a PDF file. APSB14-02 is an update to Adobe Flash, which has the typical attack vectors of malicious web pages and documents with embedded Flash objects. Both packages of Adobe should be high on your update list. Users of Google Chrome and Internet Explorer 10 and 11 do not need to worry about the Flash update as it will be installed through their respective auto update mechanisms.
Microsoft has four bulletins all of which are rated “Important” in severity. MS14-001 addresses a file format vulnerability in Microsoft Word that can be used to get Remote Code Execution of the targeted system when opening a malicious file. It is the most important vulnerability to address. It applies to all Microsoft Word versions on Windows 2003, 2007, 2010 and 2013, plus the Word document viewers. Mac OS X users are not affected. MS14-002 is a patch for last month’s 0-day vulnerability in Windows XP and 2003. The vulnerability is a local Escalation of Privilege, i.e., it can only be used by an attacker who is already on the machine as a standard user and needs to gain administrative rights. Microsoft first acknowledged its existence on November 27, 2013 in KB2914486 and indicated that it was used in a small number of targeted attacks that used a patched vulnerability in Adobe Reader (APSB13-15 from May 2013) as a delivery vehicle. The remaining vulnerabilities – MS14-003 and MS14-004 – address a kernel vulnerability in Windows and a Denial of Service condition in Microsoft’s Dynamic AX ERP program.
In summary, our priority list for this month: Java, Adobe Reader and Flash, Microsoft Word and the 0-day.
BTW, there are more vulnerabilities in the Oracle CPU release that you should look at if you run the respective Oracle software:
- MySQL has 18 vulnerabilities, and three can be attacked remotely with a maximum CVSS score of “10.”
- Solaris has 11 fixes, including one that can be attacked remotely. The maximum CVSS score is “7.2.”
- Oracle Virtualization Software, which includes the popular VirtualBox, has nine vulnerabilities, and four of them can be triggered remotely with a maximum CVSS score of “6.2.”
- The Oracle RDBMS itself has five vulnerabilities, one of which can be exploited remotely.