Microsoft just added two new bulletins to the lineup. Bulletin #1 is now a critical update for Internet Explorer affecting all versions of the browser from IE6 to IE11. Bulletin #2 is a critical vulnerability in Windows affecting XP to Windows 8 and RT. This makes this Patch Tuesday quite a bit more relevant, with now a pretty normal workload.
The remaining bulletins are all renumbered: the old Bulletins #1 becomes #3, #2 becomes #4, and so on.
Today Microsoft announced its line up for next week’s Patch Tuesday. With only five bulletins, it is quite small again for the second time this year with January’s four-bulletin release. Also for the second time, there is no update to Internet Explorer, which we have grown accustomed to seeing in the monthly releases. We definitely expect an update next month in March, at the very least to get the newest browser out in front of the PWN2OWN competition at CanSecWest that is held on March 12-14.
Two of this month’s bulletins are rated "critical," with the remainder rated "important." Bulletin #1 directly addresses a flaw in the Windows operating system and applies to both clients and servers, Windows 7, 2008, 8 and RT, but Windows XP and Vista are not affected. Bulletin #2 is on the server side only for Microsoft’s Forefront Security product, which is an anti-spam and anti-malware tool for Microsoft Exchange Server.
Bulletins #3 and #4 are local vulnerabilites for all versions of Windows, and address an elevation of privilege and an information disclosure vulnerability respectively. Bulletin #5 addresses a Denial of Service condition in Windows 8.
In addition to Microsoft, both Adobe and Mozilla released new software this week.
Adobe addressed a 0-day in Adobe Flash with an out-of-band update (APSB14-04) . It fixes a vulnerability (CVE-2014-0497) that is being exploited in the wild. Flash version 12 and 11 are affected on both Windows and Mac OS X, and Flash version 11 is affected on the Linux platform. Users of Google Chrome and Microsoft Internet Explorer 10 and 11 have gotten their updates automatically through a browser update. Users of other browsers, for example, Safari on Mac OS X, Firefox or older versions of IE need to update Flash on the operating system itself. Adobe credits Kaspersky with the discovery of the problem, Kaspersky has posted a detailed technical analysis on their blog.
We recommend installing this update as quickly as possible. Adobe Flash is widely installed and used in the majority of web pages to provide active content for videos and games. It is difficult to restrict its use, and users cannot be expected to present any obstacle to an attack that is embedded in a well-known, trusted web-page.
Mozilla updated Firefox to v27, which is a very popular browser with about 23% marketshare, according to our statistics from our free browser security tool BrowserCheck. Mozilla addressed 13 vulnerabilities. Five of the addressed vulnerabilities are rated as "critical," which means that an attacker can use them to take control over the targeted machine. Attacks of this type usually come through a website that the attacker controls, either itself a victim of the attacker that counts on the site’s normal visitors to fall prey to the attack, or specifically setup for the task and then using "Search Engine Poisoning" to attract visitors to the site. The vulnerability fixed in MFSA2014-08, one of the 5 critical ones, shows how this could work. In this patch, the image processing within Firefox is being fixed; to abuse the condition, an attacker would have to feed images to the browser with certain format violations to achieve a processing error and gain code execution in the browser.
Again, we recommend installing to this latest version as quickly as possible if you are a Firefox user.