New Year, New Patches in IT World

Tuesday, January 14, 2014 @ 05:01 PM gHale

Here we are in 2014 and some things just don’t change with the New Year. Take today’s Patch Tuesday. Three of the IT behemoths issued the first patch report of the New Year with Oracle leading the way with Microsoft and Adobe not too far behind.

Oracle first patch update for the New Year was one of its biggest ever, including a slew of security patches, most of which address vulnerabilities in Java.

Adobe Patches Flash Player, Shockwave
Patch Tuesday Fixes 24 Holes
Big Security Patch from Oracle
Adobe Fixes Flash Player, ColdFusion

The Critical Patch Update addresses 144 flaws in hundreds of Oracle products, 36 of which apply to vulnerabilities in Java SE, including 34 that are bugs that can end up remotely exploited by an attacker without requiring authentication.

“Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products,” Oracle officials said. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.”

Five of the security fixes apply to Oracle Database Server. One of these vulnerabilities might be remotely exploitable without authentication, meaning it could suffer exploitation over a network without the need for a username and password.

The patch update will include Oracle products and components like JavaFX, versions 2.2.45 and earlier, Java JDK and JRE, versions 5.0u55, 6u65, 7u45 and earlier, and Java SE Embedded, versions 7u45 and earlier.

The highest CVSS 2.0 Base Score for vulnerabilities in Oracle’s Critical Patch Update is 10.0 for Java SE, Java SE Embedded, and JRockit of Oracle Java SE, MySQL Enterprise Monitor of Oracle MySQL, Oracle FLEXCUBE Private Banking of Oracle Financial Services Software and Oracle WebCenter Sites of Oracle Fusion Middleware.

Meanwhile, Microsoft disclosed four security bulletins describing six vulnerabilities, and released product updates to address these vulnerabilities.

This is the first month since September 2011 that Microsoft released no critical updates in a Patch Tuesday cycle, and the first since September 2012 they have released four or fewer updates.

The four bulletins rated important include:
• MS14-001: Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2916605) — At least one of three memory corruption vulnerabilities affect every version of Word or the Word viewer, as well as the relevant parts of Office Web Apps and SharePoint. These are remote code execution vulnerabilities.
• MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) — A user with valid logon credentials who is able to log on locally could run a special program and elevate privilege. This vulnerability affects only Windows XP and Windows Server 2003.
• MS14-003: Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2913602) — Windows 7 and Windows Server 2008 R2 are vulnerable to a privilege elevation vulnerability. The user must have valid logon credentials and be able to log on locally.
• MS14-004: Vulnerability in Microsoft Dynamics AX Could Allow Denial of Service (2880826) — If an authenticated attacker submits specially crafted data to an affected Microsoft Dynamics AX Application Object Server (AOS) instance, the AOS instance could stop functioning.

Last, but not least, Adobe’s Patch Tuesday release had fixes for Flash Player, Acrobat and Reader. All vulnerabilities get the highest priority rating. This means future exploits are likely.

The Flash Player bulletin, CVE-2014-0491 and CVE-2014-0492, concerns remote code execution vulnerabilities.

CVE-2014-0493, CVE-2014-0495 and CVE-2014-0496 affect Acrobat and Reader. These CVEs also concern remote code execution vulnerabilities. All of this month’s vulnerabilities ended up reported to Adobe directly.

Leave a Reply

You must be logged in to post a comment.