2014 Is Off To A Good Start With Microsoft - Not So Good With Oracle
A collective sigh of relief from IT & Cyber Security professionals after reviewing Microsoft's January Patch Tuesday security bulletins....a light workload! Microsoft released four (4) bulletins this January 2014 Patch Tuesday and none are rated critical. Security patches to mitigate a Remote Execution issue in SharePoint Sever and Microsoft Word, Kernel issue in XP and Windows 2003, Kernel issue associated with Elevation of Privileges in Windows 7 and Windows Server 2008 R2, and Denial of Service issue in Microsoft Dynamic AX.
Oracle is more than making up for Microsoft's light workload in January! Oracle is releasing just fewer than 150 fixes that will impact about 47 of their products. Approximately 85 of the issues are remotely exploitable and without any need for user authentication...Ouch! While Oracle will be the focus this Patch Tuesday for IT flaw remediation, do not discount the risk of unpatched low-lever Microsoft issues....Always Patch Wide & Patch Fast
Microsoft released 4 Bulletins this January 2014 Patch Tuesday and none are rated as Critical.
- MS14-001 mitigates a Remote Code Execution issue in SharePoint Server and Microsoft Word covering 3 related CVE issues CVE-2014-0258, CVE-2014-0259, CVE-2014-0260
- MS14-002 mitigates the XP and Windows 2003 Kernel issue that could provide an Elevation Of Privilege that was previously addressed in Novembers' Security Advisory 2914486 and covers 1 related CVE issue CVE-2013-5065
- MS14-003 mitigates a Kernel Mode Drivers issue that could provide an Elevation of Privilege in Windows 7 and Windows Server 2008 R2 and covers 1 related CVE issue CVE-2014-0262
- MS14-004 mitigates a Denial of Service issue in Microsoft Dynamic AX and covers 1 related CVE issue CVE-2014-0261
It is also interesting to note that there is no Cumulative Security Update for Internet Explorer this period — this had been a regular component of Patch Tuesday for a long while now. Hopefully this lack of a cumulative update for IE represents Microsoft getting ahead of browser issues.
In terms of Priorities, the suggested order of patches would include the Kernel issue in MS14-002, which reportedly is under limited targeted attack as your first priority followed then by MS14-001, MS14003 and MS14004
While Microsoft gave us a light workload this January patch Tuesday, Oracle is more then making up for the lack of workload from Microsoft. As you should be aware Oracle releases patches quarterly so because of the timing quarterly from Oracle vs monthly from Microsoft the patches from Oracle are released in greater number. That being said Oracle is releasing just fewer than 150 fixes that will impact about 47 of their products. Approximately 85 of the issues are remotely exploitable and without any need for user authentication. While we have not seen a Java Zero Day in a while now as expected Java is a big part of the patch load with 36 issues patched for Java 7 SE (34 remotely exploitable). Read more about the Oracle Critical Patch Pre-release announcement here.
Always Patch Wide & Patch Fast - While Oracle will be the focus this Patch Tuesday for IT flaw remediation do not discount the risk of unpatched low-level Microsoft issues. While none of the Microsoft bulletins this period are rated as Critical as we have taught in both SANS SEC401 Security Essentials and SEC501 Advanced Security Essentials - Enterprise Defender it is essential to remember that multiple important level vulnerabilities can be combined (chained) and produce critical / devastating results!
Senior SANS Instructor - Paul A. Henry
MCP+I, MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA, CIFI, CCE, ACE, GCFE, GCFA, GSEC, VCP4/5, vExpert