Patch Priority Index for March 2014

Bulletin CVE

MS14-012

CVE-2014-0297, CVE-2014-0298, CVE-2014-0299

MS14-013

CVE-2014-0301

APSB14-08

CVE-2014-0503, CVE-2014-0504

APSB14-10

CVE-2014-0505

MS14-015

CVE-2014-0300, CVE-2014-0323

MS14-014

CVE-2014-0319

MS14-016

CVE-2014-0317

MS14-007

CVE-2014-0263

Oracle Java Update

CVE-2014-0410, CVE-2014-0415, CVE-2013-5907

Oracle CPU

CVE-2013-5764, CVE-2013-5853, CVE-2013-5858

Tripwire’s March Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft, Adobe, and Oracle.

This month starts off like most, with an Internet Explorer update. This update brings fixes for a couple of in-the-wild vulnerabilities, so step number one this month is definitely applying this patch.  The second item on the list, MS14-013, should also be high on your list this month and it contains a new drive-by attack. The upside to this one is that right now, Microsoft doesn’t feel a new exploit is likely to be released quickly.

Following the two drive-by attack fixes from Microsoft, we switch our attention to Adobe. Most people are probably aware of the Flash update that was released on Patch Tuesday (remember to update your IE 11 install) but how many people noticed the Shockwave update that dropped a couple of days later? Both of these updates should be applied in a timely fashion.

Following the Adobe updates, we have the remainder of the new Microsoft patches. This includes a fix to an ASLR/DEP bypass in Silverlight, a privilege escalation in Win32k.sys, and an account lockout bypass in the security account manager remote (SAMR) protocol. While the ASLR/DEP bypass can’t be exploited directly for code execution, it could be used alongside other attacks. The SAMR account lock-out bypass is interesting but definitely warrants being a little lower on the list.

Finally, we round this month out with 3 bulletins that have lingered a little bit. The first is a drive-by attack that Microsoft fixed last month. It wasn’t replaced this month, so it’s a good reminder for anyone who hasn’t patched it. The other two spots on the ten list go to Oracle updates, both the Java update and the CPU from January. If you still haven’t applied those, all we can ask is WHY?

Happy Patching!