Patch Priority Index for May 2014

Bulletin CVE

MS14-029

CVE-2014-0310, CVE-2014-1815

APSB14-15

CVE-2014-0511, CVE-2014-0512, CVE-2014-0513

APSB14-14

CVE-2014-0510, CVE-2014-0516, CVE-2014-0517

MS14-024

CVE-2014-1809

MS14-023

CVE-2014-1808, CVE-2014-1756

MS14-022

CVE-2014-0251, CVE-2014-1754, CVE-2014-1813

MS14-025

CVE-2014-1812

MS14-027

CVE-2014-1807

Heartbleed

CVE-2014-0160

MS14-018

CVE-2014-0235, CVE-2014-1751, CVE-2014-1752

Tripwire’s May Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft, Adobe, and OpenSSL.

This month starts off with the latest IE update. This update contains fixes for it’s own bulletin (MS14-029) as well as MS14-021 but it is not a cumulative update, which is why you’ll find mention of MS14-018 at the end of this month’s list. MS14-021 contained an OOB fix and one of the vulnerabilities in MS14-029 was used in targeted attacks, so applying this patch should be top priority.

Next we shift gears to Adobe, before getting to some interesting but less severe Microsoft patches. This month two Adobe patches have made the list, one for Reader/Acrobat and one for Flash.  While it’s not a patch in the above list, KrebsonSecurity.com has a great article on why you should abandon Shockwave.

Up next is a slew of Microsoft patches. We have fixes for an ASLR bypass, a known method of obtaining domain credentials, a privilege escalation used by malware, and a couple of others. It’s an interesting group but other than the SharePoint patch Microsoft has marked everything important. Given how many of these items have been used publicly, it’s definitely worth applying this set of updates.

We end the month with the April Cumulative IE update (as mentioned above) but before that we have mention of Heartbleed again. This bug continued to exist and needs to be swatted with the biggest fly swatter we can find. If you haven’t updated your OpenSSL implementations, it’s advisable that you look into it this month.

Happy Patching!