• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Hefty Patch Day Despite Light Microsoft Turnout

January 14, 2014 By Corey Nachreiner

If any security professionals need quick reminder that the end-of-year holidays are over, and it’s time to get back to protecting information, Microsoft’s first Patch Day of the year will likely do that for you. However, the good news is Microsoft is giving us a slow start with only four security updates for January. Unfortunately, two other companies, Oracle and Adobe, have filled in the gaps with big updates of the own.

Let’s start with Microsoft.

According to their summary post, Microsoft released four bulletins today which fix security flaws in Windows, Office, and their Dynamics AX server (an enterprise resource planning or ERP solution).  They didn’t release any Critical bulletins this month, only ones with an Important rating; essentially their “medium” severity. Though vulnerabilities with this rating might be a bit more difficult to exploit (requiring local access or victim interaction), some of them could still allow remote attackers to gain full control of your users’ machines. In short, you should still takes these updates seriously despite the light load, and their less critical nature.

As far as priority, start with the Windows kernel vulnerability, as it fixes a zero day flaw that attackers are actively exploiting in the wild. Granted, the attackers exploiting it need local access to your computer to leverage the flaw, but if they do they gains full (SYSTEM) control of the PC. The remaining Windows and Office flaws are just about equal in severity. Which you focus on first is up to you. I’d probably consider the Office one since bad guys like using malicious documents in their spear phishing emails lately. Finally, the Dynamix AX update fixes a DoS flaw. I don’t suspect many smaller organizations use this product, and DoS flaws aren’t quite as severe as others. So save this one for last, if you happen to use the product.

With Microsoft done, your focus this month is probably better served with patching Adobe and Oracle products. Adobe’s patch day always falls on the same Tuesday as Microsoft’s. However, Oracle happens to follow a quarterly patch cycle, which only occasionally lines up directly with Microsoft’s Patch Day. Unfortunately, this is one such month, and you get to enjoy the unholy trifecta of patching three big corporations’ products at once. Yay (sarcasm)!

Today, Adobe has released updates for Reader, Acrobat, and Flash Player, and Oracle has released their huge Critical Patch Update, fixing over a hundred flaws in a wide variety of products. I’ll post more details about these updates later today, but for now you can check out Adobe or Oracles pre-announcement advisories if you want a head start.

I’ll post the detailed alerts for Microsoft’s Windows and Office updates shortly. Since I doubt the majority of customer use Dynamics AX, I don’t plan on posting a full alert for it, so if you use it be sure to check out Microsoft alert (MS14-004) yourself, and grab the corresponding updates. Stay tuned! — Corey Nachreiner, CISSP (@SecAdept)

Microsoft Patch Day Summary, Jan 2014

Share This:

Related

Filed Under: Security Bytes Tagged With: Adobe, Dynamics AX, Microsoft, MySQL, Oracle, Reader, Updates and patches, Zero day exploit

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
  • TikTok is Banned, Kind Of
  • How Not to Update Software

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • How Not to Update Software
  • Naming APTs
  • TikTok is Banned, Kind Of
  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use