Patch Priority Index for September 2014

Bulletin CVE

ShellShock

CVE-2014-6271, CVE-2014-7169

MS14-052

CVE-2013-7331, CVE-2014-2799, CVE-2014-4059

APSB14-021

CVE-2014-0547, CVE-2014-0548, CVE-2014-0549

APSB14-022

CVE-2014-0560, CVE-2014-0561, CVE-2014-0562

MS14-054

CVE-2014-4074

OS X Mavericks 10.9.5

CVE-2013-7345, CVE-2014-0185, CVE-2014-0207

MS14-055

CVE-2014-4068, CVE-2014-4070, CVE-2014-4071

MS14-053

CVE-2014-4072

Cisco Semiannual IOS Bundle

CVE-2014-3359, CVE-2014-3357, CVE-2014-3358

MS14-044

CVE-2014-1820, CVE-2014-4061

 

Tripwire’s September Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft, Apple, Oracle, Cisco, and Adobe.

Up first this month, we have ShellShock, the BASH vulnerability that everyone has been talking about. With a plethora of information available, we won’t spend too much time going over the details; we have the link above to cover that. It’s important to note, however, that external attack vectors vary from service to service and the availability of a service does not imply the availability of the attack vector. This is why updating every system that you suspect to be vulnerable is so important.

Following ShellShock, we have the latest Internet Explorer update. Keeping your browser up-to-date is critical and many people forget they have IE installed by default, so you need to pay extra attention to it. The first Adobe update on the list pairs quite nicely with the IE bulletin because it fixes issues in Flash. As usual, the release of a Flash update indicates an update to Internet Explorer as well; ensure that all updates are applied.

Adobe also gave us an update to Acrobat and Reader this month and this is where I usually fall behind. I always update my Windows systems but my PDF reader is sometimes forgotten, even though I write about the updates here.  I suggest, that as you’re reading this, you open your PDF reader and check for updates.

The Windows Task Scheduler update is important to apply but requires little discussion. A user can schedule malicious tasks to escalate their permissions. The update after that, however, OS X Mavericks 10.9.5 is worth discussing consider the number of critical vulnerabilities resolved. If you’re an OS X user that has been delaying this update via the ‘Remind Me Tonight’ function... consider yourself warned that tonight is a good time to update.

Next we have the final two Microsoft bulletins from September. The first fixes several issues in Lync Server. This is an important vulnerability if you have Lync Server, so enterprises take heed... apply this patch because someone decides to target your public services.  The .NET bulletin (MS14-053) is less important but should still be patched as soon as possible.

The penultimate patch on the list this month is the Cisco IOS bundle. This was released rather quietly while everyone was paying attention to ShellShock. If you’re using Cisco networking gear, make sure you didn’t lose sight of these patches in the noise.

Finally, we have MS14-044 from August. This was the first SQL Server 2014 patch released, so even though it wasn’t the most important patch released last month, we felt it was worth mentioning again. Some companies may not have teams in place for their SQL Server 2014 security needs, so this is a second reminder to get those patches deployed.