Patch Priority Index for November 2014

Bulletin CVE

MS14-066

CVE-2014-6321

MS14-065

CVE-2014-6323, CVE-2014-6339, CVE-2014-4143

MS14-068

CVE-2014-5324

MS14-064

CVE-2014-6332, CVE-2014-6352

MS14-067

CVE-2014-4188

APSB14-26

CVE-2014-8439

MS14-069

CVE-2014-6333, CVE-2014-6334, CVE-2014-6335

POODLE

CVE-2014-3566

Oracle Oct 2014 CPU

CVE-2014-6513, CVE-2014-6532, CVE-2014-6503

Cisco Semiannual IOS Bundle

CVE-2014-3359, CVE-2014-3357, CVE-2014-3358

Tripwire’s November Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft, Oracle, Cisco, and Adobe.

We start this month with the SChannel bulletin that everyone is talking about. Updating this will likely be at the top of most enterprise checklists. Given that the threat presented is the risk of a remote, unauthenticated attack against server infrastructure, attackers will be putting in over time to successfully exploit this vulnerability.

We follow-up SChannel with this month’s IE update. Internet Explorer is regularly at the top of our list but for the past few months bigger ticket items have overshadowed it. This doesn’t reduce the risk presented by Internet Explorer vulnerabilities, updating IE as quickly as possible is always important for enterprises and end users alike.

With so many Microsoft updates this month, it was hard to determine which ones would fill a Top 10 list, but in the end we used Microsoft’s own classification system. Up next we have critical issues affecting Kerberos, Windows OLE, and XML Core Services. Following those updates, we have the latest Flash update. Keep in mind that Flash was updated twice in the month of November, so your first update may not have caught the latest security issues. Finally, we have one more Microsoft update, this one resolving a number of Office vulnerabilities. Since Office is a popular attack target, it’s worth mentioning here even though it wasn’t rated critical.

The list is finished with three carryovers from last month. Poodle, which people are still talking about, should be identified on systems in your environment and an action plan should be developed. Oracle’s October patch drop was, as always, rather large, so determine which platforms were affected in your enterprise and start testing updates if you haven’t already. Finally, Cisco released their latest update back in September but with so many high priority items lately, we wanted to include this one again for organizations that may have missed the update previously.