Tripwire’s January Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft, Adobe, and Oracle.
This month’s PPI is unique in that Microsoft is not at the top of the list; instead Java tops the list as part of the Oracle January Critical Patch Update. The CPU patches 34 Java vulnerabilities and should not be ignored.
|Oracle Java Update||CVE-2014-0410, CVE-2014-0415, CVE-2013-5907|
|APSB14-01||CVE-2014-0493, CVE-2014-0495, CVE-2014-0496|
|MS13-097||CVE-2013-5047, CVE-2013-5048, CVE-2013-5049|
|MS14-001||CVE-2014-0258, CVE-2014-0259, CVE-2014-0260|
|Oracle CPU||CVE-2013-5764, CVE-2013-5853, CVE-2013-5858|
Following the Java update, we’ve got two updates from Adobe, one for Reader and Acrobat and another for Flash. Given that Reader and Flash are always popular malware targets, it’d advisable to install these updates as quickly as possible.
Up next we have the Microsoft updates, which did not include a new Internet Explorer patch this month. Our first Microsoft patch, MS14-002, is a privilege escalation that has been used in public exploits along side Adobe vulnerabilities to gain SYSTEM access. Since this has been used publicly, it is advisable to patch it quickly. Following that are two patches from last year resolving a 0-day issue and the last Internet Explorer fix.
The next bundle includes the rest of the updates from this years first patch drop, including a privilege escalation in Win32k.sys, fix for Word and Word Service for SharePoint (including Office WebApps), and a patch for Microsoft Dynamics AX. The last two will only affect certain environments, so make sure you read all the affected software.
The last spot on the list this month goes to the Oracle CPU. I split out Java because of its popularity but the remainder of the CPU can be bundled up to make it on this list. Oracle Database, Fusion Middleware, and Solaris are just a few of the items with patches available this month.
The Tripwire VERT Team – @TripwireVERT