Patch Priority Index for July 2014

Bulletin CVE

MS14-037

CVE-2014-2783, CVE-2014-1763, CVE-2014-1765

APSB14-17

CVE-2014-0537, CVE-2014-0539, CVE-2014-4671

MS14-038

CVE-2014-1824

MS14-040

CVE-2014-1767

OS X Mavericks 10.9.4

CVE-2014-1370, CVE-2014-0015, CVE-2014-1371

Java 8u5, 7u60 Update

CVE-2014-4227, CVE-2014-4219, CVE-2014-4216

Oracle July 2014 CPU

CVE-2013-3751, CVE-2013-3774, CVE-2014-4245

MS14-041

CVE-2014-2780

MS14-039

CVE-2014-2781

MS14-042

CVE-2014-2814

 

Tripwire’s July Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft, Apple, Oracle, and Adobe.

We start this month like most others, with the Internet Explorer cumulative update. At this point, if you run Windows environments and the IE update is considered critical, you may need to rethink your strategy. While you are updating IE, think about applying the second update in our list for APSB14-17. This is the latest Flash update and since Adobe has updated Flash, Microsoft has released an update to KB 2755801.

Up next on the list, we have the other critical Microsoft update from this month, MS14-038. The Microsoft Journal is an often forgotten component of Windows, designed for use by tablet users. The best piece of advice that we can offer is that if you aren’t on a tablet or you’re building a new clean image for your enterprise, disable all Windows Journal support (file associations, protocol handlers). This is an example of a great proactive step that can help you should vulnerabilities like this arise in the future.

Before we take a detour away from Microsoft, we should also discuss MS14-040, which resolves a vulnerability in AFD.sys, a commonly patched Microsoft driver. This is a serious privilege escalation that leads to SYSTEM level access, so applying this update is crucial.

OS X Mavericks received an update in the form of 10.9.4 on June 30th and since Apple releases security fixes so infrequently, it’s worth installing this update if you haven’t yet. We also have two mentions for Oracle on the list. While both of these are addressed by the July 2014 CPU, we feel that Java is important enough to earn it’s own line item. Ensure you patch Java and all other Oracle products in a timely fashion. Uninstalling Java is always an option as well.

Finally, we close out with the final three Microsoft bulletins from the July patch drop. These address two privilege escalations (neither of which will result in SYSTEM access) and a denial of service in Microsoft Service Bus.