Skip to content ↓ | Skip to navigation ↓

Tripwire’s March Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft, Adobe, and Oracle. This month starts off like most, with an Internet Explorer update. This update brings fixes for a couple of in-the-wild vulnerabilities, so step number one this month is definitely applying this patch.

The second item on the list, MS14-013, should also be high on your list this month and it contains a new drive-by attack. The upside to this one is that right now, Microsoft doesn’t feel a new exploit is likely to be released quickly.

MS14-012 CVE-2014-0297, CVE-2014-0298, CVE-2014-0299
MS14-013 CVE-2014-0301
APSB14-08 CVE-2014-0503, CVE-2014-0504
APSB14-10 CVE-2014-0505
MS14-015 CVE-2014-0300, CVE-2014-0323
MS14-014 CVE-2014-0319
MS14-016 CVE-2014-0317
MS14-007 CVE-2014-0263
Oracle Java Update CVE-2014-0410, CVE-2014-0415, CVE-2013-5907
Oracle CPU CVE-2013-5764, CVE-2013-5853, CVE-2013-5858

Following the two drive-by attack fixes from Microsoft, we switch our attention to Adobe. Most people are probably aware of the Flash update that was released on Patch Tuesday (remember to update your IE 11 install) but how many people noticed the Shockwave update that dropped a couple of days later? Both of these updates should be applied in a timely fashion.

Following the Adobe updates, we have the remainder of the new Microsoft patches. This includes a fix to an ASLR/DEP bypass in Silverlight, a privilege escalation in Win32k.sys, and an account lockout bypass in the security account manager remote (SAMR) protocol. While the ASLR/DEP bypass can’t be exploited directly for code execution, it could be used alongside other attacks. The SAMR account lock-out bypass is interesting but definitely warrants being a little lower on the list.

Finally, we round this month out with 3 bulletins that have lingered a little bit. The first is a drive-by attack that Microsoft fixed last month. It wasn’t replaced this month, so it’s a good reminder for anyone who hasn’t patched it. The other two spots on the ten list go to Oracle updates, both the Java update and the CPU from January.

If you still haven’t applied those, all we can ask is WHY?

Happy Patching!

See Also:  VERT Alert: March 2014 Microsoft Patch Tuesday Analysis



picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].