Tripwire’s September Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft, Apple, Oracle, Cisco, and Adobe.
|MS14-052||CVE-2013-7331, CVE-2014-2799, CVE-2014-4059|
|APSB14-021||CVE-2014-0547, CVE-2014-0548, CVE-2014-0549|
|APSB14-022||CVE-2014-0560, CVE-2014-0561, CVE-2014-0562|
|OS X Mavericks 10.9.5||CVE-2013-7345, CVE-2014-0185, CVE-2014-0207|
|MS14-055||CVE-2014-4068, CVE-2014-4070, CVE-2014-4071|
|Cisco Semiannual IOS Bundle||CVE-2014-3359, CVE-2014-3357, CVE-2014-3358|
Up first this month, we have ShellShock, the BASH vulnerability that everyone has been talking about. With a plethora of information available, we won’t spend too much time going over the details. It’s important to note, however, that external attack vectors vary from service to service and the availability of a service does not imply the availability of the attack vector. This is why updating every system that you suspect to be vulnerable is so important.
Following ShellShock, we have the latest Internet Explorer update. Keeping your browser up-to-date is critical and many people forget they have IE installed by default, so you need to pay extra attention to it. The first Adobe update on the list pairs quite nicely with the IE bulletin because it fixes issues in Flash. As usual, the release of a Flash update indicates an update to Internet Explorer as well; ensure that all updates are applied.
APSB14-021 & APSB14-022
Adobe also gave us an update to Acrobat and Reader this month and this is where I usually fall behind. I always update my Windows systems but my PDF reader is sometimes forgotten, even though I write about the updates here. I suggest, that as you’re reading this, you open your PDF reader and check for updates.
MS14-054 & OS X Mavericks 10.9.5
The Windows Task Scheduler update is important to apply but requires little discussion. A user can schedule malicious tasks to escalate their permissions. The update after that, however, OS X Mavericks 10.9.5 is worth discussing considering the number of critical vulnerabilities resolved. If you’re an OS X user that has been delaying this update via the ‘Remind Me Tonight’ function… consider yourself warned that tonight is a good time to update.
MS14-054 & MS14-053
Next, we have the final two Microsoft bulletins from September. The first fixes several issues in Lync Server. This is an important vulnerability if you have Lync Server, so enterprises take heed… apply this patch because someone may decide to target your public services. The .NET bulletin (MS14-053) is less important but should still be patched as soon as possible.
Cisco Semiannual IOS Bundle
The penultimate patch on the list this month is the Cisco IOS bundle. This was released rather quietly while everyone was paying attention to ShellShock. If you’re using Cisco networking gear, make sure you didn’t lose sight of these patches in the noise.
Finally, we have MS14-044 from August. This was the first SQL Server 2014 patch released, so even though it wasn’t the most important patch released last month, we felt it was worth mentioning again. Some companies may not have teams in place for their SQL Server 2014 security needs, so this is a second reminder to get those patches deployed.