Update: Adobe will release a new version of its Reader and Acrobat products on Tuesday as well. The new versions will address critical issues on both Windows and Mac OS X.
Original: 2014’s first Patch Tuesday is coming up next week and it will be a full plate for IT administrators even though we are looking at only four bulletins from Microsoft. Oracle will simultaneously release its Critical Patch Update, and these quarterly releases typically address over 100 vulnerabilities in their large software line. For example, 127 were addressed in October of 2013. Analyzing the applicability of these flaws to one’s software infrastructure and addressing them are a major concern for any organization that uses Oracle products.
Microsoft will have four bulletins addressing flaws in Windows, Microsoft Office and Dynamics AX, none of them rated critical. This is significantly less than January’s seven bulletins in 2013 and 2012. We expect Bulletin #2 to address the 0-day vulnerability CVE-2013-5065 in Windows XP and 2003, which has seen limited attacks since the end of November of last year. These attacks have been coming in through PDF documents using an already fixed vulnerability of Adobe Reader and users of updated versions, i.e post APSB13-15 from May of 2013 should be immune to this attack vector.
While there is no update for Internet Explorer, taking care of your browser should still be among your highest priority items. Running the most updated browser version is the best way to deal with the web based attacks, which have increased their heft in 2013. They are now the main threat vector, and more companies have been infected through web-based attacks than through e-mail. Beyond the browser, one needs to pay attention to the browser plug-ins, and in that class, the most important is Oracle’s Java. Java just suffered a widely published attack during the Yahoo Ad-based attacks from Dec 30 2013-Jan 3 2014, where the Magnitude exploit kit was used to deliver malware to users that were running an outdated version of Java. Oracle is coming out with Java v7u51, which is addressing a number of security flaws and further tightening its security parameters setup.
Back to the Microsoft January release. In summary, we will have four patches total, with only one in the Remote Code Execution (RCE) category:
- Bulletin #1, a RCE for a new version of Internet Explorer
- Bulletin #2, to address 0-day flaw in XP and 2003
- Bulletin #3 in Windows
- Bulletin #4 in Dynamcs AX, Microsoft’s ERP system
Please stay tuned for more updates on this post as we get more information about the Oracle patches.