Patch Priority Index for February 2014
CVE-2014-0268, CVE-2014-0271, CVE-2014-0293
|MS14-009||CVE-2014-0253, CVE-2014-0257, CVE-2014-0295|
|Oracle Java Update||CVE-2014-0410, CVE-2014-0415, CVE-2013-5907|
|Oracle CPU||CVE-2013-5764, CVE-2013-5853, CVE-2013-5858|
Tripwire’s February Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft, Adobe, and Oracle.
We start this month with the latest IE Patch and a non-IE patch that only applies to IE 9 users. This is also a good time to recommend that everyone upgrade to Internet Explorer 11 if you can and, if you can’t, you should install Microsoft EMET on your systems, even if you do have IE 11, you should still use EMET.
Following IE, we have another patch protecting against drive-by attack vectors. MS14-007 resolves an issue with Direct2D that can be exploited via the browser.
After the drive-by MS patches, it’s time to take a look at the Adobe patches this month. Released earlier than expected, we have the Adobe Flash update (APSB14-04) and released alongside the Microsoft patches was a Shockwave update (APSB14-06). Keep in mind that if you have IE 11, there’s a separate Flash update that you need to install.
Following that we have three additional Microsoft patches, one for .NET which includes a couple of fixes, one for an MS XML information disclosure, and one that fixes a denial of service in IPv6. There was a final MS Patch released that is not represented in this list, MS14-008, which fixes a vulnerability in Forefront Protection for Exchange. It was excluded due to commentary from Microsoft that they felt that exploitation was unlikely.
We then wrap up the list with a couple of left over patches from last month to serve as a reminder. They are both from Oracle and include the Java Update and the generic CPU, which includes updates for Oracle DB, Solaris, and a number of other products.