The biggest surprise, however, is there is no Internet Explorer patch this month. "This must be an indication that the IE team was finally allowed to take some time off over the holidays in light of the grueling 2013 they put in," comments Ross Barrett, senior manager of security engineering at Rapid7. But he doesn't think it's because IE has become suddenly secure: "Expect them back in February," he adds.
Bulletin 1 fixes a remote code execution vulnerability affecting Office and MS Server Software. Bulletins 2 and 3 involve escalations of privilege in Windows, while bulletin 4 fixes a DoS flaw affecting Microsoft Dynamics AX.
"Bulletins 1, 2 and 3 are very interesting," comments Tommy Chin, technical support engineer, CORE Security. "Bulletin 1 is the main door that needs to be patched, but bulletin 2 and 3 provide open doors to administrative access through bulletin 1. The possibility of required restart on bulletin 1 indicates that the vulnerable code is potentially already loaded. I recommend patching bulletin 1 as soon as possible."
Trustwave's Ziv Mador doesn't believe admins should take these patches lightly. He suspects that the elevation of privileges bulletins may fix CVE-2013-5065, aka Kernel NDProxy Vulnerability, which has remained unpatched since November. "This would be one of the higher priority patches since exploits have been observed in the wild taking advantage of this vulnerability in conjunction with an Adobe Reader vulnerability."
"The fourth bulletin," says Barrett, "is a denial of service in the seldom seen Microsoft Dynamics product. This is about as marginal a concern as you can get to in terms of MS advisories." But he adds, "If you have Dynamics in your environment, don’t overlook it. It’s the type of system where downtime can have a material cost to your business.”
Wolfgang Kandek, CTO at Qualys, suggests that users should take the opportunity of a light Patch Tuesday to make sure that their systems are using the latest versions of software. "While there is no update for Internet Explorer, taking care of your browser should still be among your highest priority items." He points out that more companies get infected through their browser than through their email. "Beyond the browser," he adds, "one needs to pay attention to the browser plug-ins, and in that class, the most important is Oracle’s Java. Java just suffered a widely published attack during the Yahoo Ad-based attacks from Dec 30 2013-Jan 3 2014, where the Magnitude exploit kit was used to deliver malware to users that were running an outdated version of Java."
14 January 2014
It is more common for threats being introduced through non microsoft applications such as Adobe and Java which are not updated as regularly by system admins due to most relying on manual updates and WSUS or SCCM for Microsoft. There are many vendors providing 3rd party patch which would not only streamline patching but also help better protect organisations from day zero attacks. I work with Lumension who provide the largest repository of non windows content support. There are others out there like LANDesk and Solarwinds but Lumension's defence in depth strategy works best for most organisations looking at complete endpoint security.
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.