Skip to content ↓ | Skip to navigation ↓

Tripwire’s January Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft, Adobe, and Oracle.

This month’s PPI is unique in that Microsoft is not at the top of the list; instead Java tops the list as part of the Oracle January Critical Patch Update. The CPU patches 34 Java vulnerabilities and should not be ignored.

Oracle Java Update CVE-2014-0410, CVE-2014-0415, CVE-2013-5907
APSB14-02 CVE-2014-0491, CVE-2014-0492
APSB14-01 CVE-2014-0493, CVE-2014-0495, CVE-2014-0496
MS14-002 CVE-2013-5065
MS13-096 CVE-2013-3906
MS13-097 CVE-2013-5047, CVE-2013-5048, CVE-2013-5049
MS14-001 CVE-2014-0258, CVE-2014-0259, CVE-2014-0260
MS14-003 CVE-2014-0262
MS14-004 CVE-2014-0261
Oracle CPU CVE-2013-5764, CVE-2013-5853, CVE-2013-5858

Following the Java update, we’ve got two updates from Adobe, one for Reader and Acrobat and another for Flash. Given that Reader and Flash are always popular malware targets, it’d advisable to install these updates as quickly as possible.

Up next we have the Microsoft updates, which did not include a new Internet Explorer patch this month. Our first Microsoft patch, MS14-002, is a privilege escalation that has been used in public exploits along side Adobe vulnerabilities to gain SYSTEM access. Since this has been used publicly, it is advisable to patch it quickly. Following that are two patches from last year resolving a 0-day issue and the last Internet Explorer fix.

The next bundle includes the rest of the updates from this years first patch drop, including a privilege escalation in Win32k.sys, fix for Word and Word Service for SharePoint (including Office WebApps), and a patch for Microsoft Dynamics AX. The last two will only affect certain environments, so make sure you read all the affected software.

The last spot on the list this month goes to the Oracle CPU. I split out Java because of its popularity but the remainder of the CPU can be bundled up to make it on this list. Oracle Database, Fusion Middleware, and Solaris are just a few of the items with patches available this month.

Happy Patching!

The Tripwire VERT Team – @TripwireVERT