Tripwire’s March Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft, Adobe, and Oracle. This month starts off like most, with an Internet Explorer update. This update brings fixes for a couple of in-the-wild vulnerabilities, so step number one this month is definitely applying this patch.
The second item on the list, MS14-013, should also be high on your list this month and it contains a new drive-by attack. The upside to this one is that right now, Microsoft doesn’t feel a new exploit is likely to be released quickly.
|MS14-012||CVE-2014-0297, CVE-2014-0298, CVE-2014-0299|
|Oracle Java Update||CVE-2014-0410, CVE-2014-0415, CVE-2013-5907|
|Oracle CPU||CVE-2013-5764, CVE-2013-5853, CVE-2013-5858|
Following the two drive-by attack fixes from Microsoft, we switch our attention to Adobe. Most people are probably aware of the Flash update that was released on Patch Tuesday (remember to update your IE 11 install) but how many people noticed the Shockwave update that dropped a couple of days later? Both of these updates should be applied in a timely fashion.
Following the Adobe updates, we have the remainder of the new Microsoft patches. This includes a fix to an ASLR/DEP bypass in Silverlight, a privilege escalation in Win32k.sys, and an account lockout bypass in the security account manager remote (SAMR) protocol. While the ASLR/DEP bypass can’t be exploited directly for code execution, it could be used alongside other attacks. The SAMR account lock-out bypass is interesting but definitely warrants being a little lower on the list.
Finally, we round this month out with 3 bulletins that have lingered a little bit. The first is a drive-by attack that Microsoft fixed last month. It wasn’t replaced this month, so it’s a good reminder for anyone who hasn’t patched it. The other two spots on the ten list go to Oracle updates, both the Java update and the CPU from January.
If you still haven’t applied those, all we can ask is WHY?
See Also: VERT Alert: March 2014 Microsoft Patch Tuesday Analysis
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].