Patch Priority Index for December 2014

Bulletin CVE

MS14-080

CVE-2014-6327, CVE-2014-6328, CVE-2014-6329

MS14-084

CVE-2014-6363

APSB14-27

CVE-2014-0580, CVE-2014-0587, CVE-2014-8443

APSB14-28

CVE-2014-9165, CVE-2014-8445, CVE-2014-9150

MS14-081

CVE-2014-6356, CVE-2014-6357

MS14-082

CVE-2014-6364

MS14-083

CVE-2014-6360, CVE-2014-6361

MS14-075

CVE-2014-6319, CVE-2014-6325, CVE-2014-6326

MS14-066

CVE-2014-6321

Oracle Oct 2014 CPU

CVE-2014-6513, CVE-2014-6532, CVE-2014-6503

Tripwire’s December Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft, Oracle, and Adobe.

We start off the finally Patch Priority Index of 2014 with the (hopefully) final Internet Explorer update of the year. This update resolves 14 vulnerabilities and while most of them are typical memory corruption vulnerabilities, there’s one vulnerability worth discussing. CVE-2014-6363 is fixed by both MS14-080 and MS14-084, depending on your platform. Users of Internet Explorer 6, 7, and 8 will need to install MS14-084 (and MS14-080 for other Internet Explorer vulnerabilities) while users of Internet Explorer 9, 10, and 11 only need to install MS14-080.

Up next, we have a couple of updates from Adobe resolving vulnerabilities in Flash Player and Reader / Acrobat. Most users are used to these patches due to their frequency – Adobe has almost reached a monthly patch cadence – so there’s nothing unexpected with the two of these.

Up next we have three Microsoft Office bulletins. We have updates for Word, Excel, and Microsoft Office Components this month and all three bulletins describe file-parsing vulnerabilities. Again, there’s not a lot of surprise here, since most people expect Office patches on a regular basis.

The final new bulletin this month is a bulletin we expected to see last month, resolving four bulletins in Exchange and, more specifically, OWA.

Ending the list this month, we have a few reminder items. The first is M14-066, which was reissued in December and contains a critical fix for Microsoft SChannel. The other is a reminder of the Oracle October 2014 CPU, which contained numerous patches for multiple products.

Happy Patching! We’ll see you in 2015!