The biggest surprise, however, is there is no Internet Explorer patch this month. "This must be an indication that the IE team was finally allowed to take some time off over the holidays in light of the grueling 2013 they put in," comments Ross Barrett, senior manager of security engineering at Rapid7. But he doesn't think it's because IE has become suddenly secure: "Expect them back in February," he adds.
Bulletin 1 fixes a remote code execution vulnerability affecting Office and MS Server Software. Bulletins 2 and 3 involve escalations of privilege in Windows, while bulletin 4 fixes a DoS flaw affecting Microsoft Dynamics AX.
"Bulletins 1, 2 and 3 are very interesting," comments Tommy Chin, technical support engineer, CORE Security. "Bulletin 1 is the main door that needs to be patched, but bulletin 2 and 3 provide open doors to administrative access through bulletin 1. The possibility of required restart on bulletin 1 indicates that the vulnerable code is potentially already loaded. I recommend patching bulletin 1 as soon as possible."
Trustwave's Ziv Mador doesn't believe admins should take these patches lightly. He suspects that the elevation of privileges bulletins may fix CVE-2013-5065, aka Kernel NDProxy Vulnerability, which has remained unpatched since November. "This would be one of the higher priority patches since exploits have been observed in the wild taking advantage of this vulnerability in conjunction with an Adobe Reader vulnerability."
"The fourth bulletin," says Barrett, "is a denial of service in the seldom seen Microsoft Dynamics product. This is about as marginal a concern as you can get to in terms of MS advisories." But he adds, "If you have Dynamics in your environment, don’t overlook it. It’s the type of system where downtime can have a material cost to your business.”
Wolfgang Kandek, CTO at Qualys, suggests that users should take the opportunity of a light Patch Tuesday to make sure that their systems are using the latest versions of software. "While there is no update for Internet Explorer, taking care of your browser should still be among your highest priority items." He points out that more companies get infected through their browser than through their email. "Beyond the browser," he adds, "one needs to pay attention to the browser plug-ins, and in that class, the most important is Oracle’s Java. Java just suffered a widely published attack during the Yahoo Ad-based attacks from Dec 30 2013-Jan 3 2014, where the Magnitude exploit kit was used to deliver malware to users that were running an outdated version of Java."