System administrators are in for a busy week after Microsoft, Adobe and Oracle all announced regular patch updates, including 11 from Redmond – four of which were rated critical.
April’s Patch Tuesday covered 26 vulnerabilities, 10 of which were accounted for by Internet Explorer.
That’s 42 bulletins so far in 2015, more than twice the number at the same time last year, according to Shavlik product manager, Chris Goettl.
“From a vulnerability standpoint in April 2014 the CVE count for vulnerabilities resolved was at 72. We passed that count in March, with 76 vulnerabilities resolved,” he added. “When this month’s 25 CVEs are included, we have a much higher total of 101 CVEs resolved to date.”
Russ Ernst, director of product management for HEAT Software, urged admins to begin by patching MS15-033, a critical bulletin addressing five CVEs in Office, including one remote code execution zero day vulnerability, CVE-2015-1641.
“If you’re using IE, MS15-032 should be second on your list,” he added. “This is another cumulative update for all versions of IE and patches 10 CVEs, nine of which are critical. The attacker needs users to open a malicious webpage for user rights to then be secured but as we know, this is relatively easy for them to accomplish.”
The remaining critical bulletins relate to a vulnerability in the EMF graphics format which is more easily exploitable in older versions of Windows, and a flaw in the http stack on Windows Server 2008 and 2012, and Windows 7 and 8.
“This is an easily exploited vulnerability for attackers – it can run code on your IIS webserver under the user account and the attacker can then escalate privilege,” said Ernst.
Jon Rudolph, principal software engineer at Core Security, picked out MS15-037 (CVE-2015-0098) for attention – an “important” escalation of privilege vulnerability.
“This is especially a problem when this new control can be used to parlay more information and prepare for future attacks,” he warned.
Elsewhere, the experts are urging admins to focus on Adobe’s Priority 1 APSB15-06 update, which addresses 22 vulnerabilities in Flash Player including one (CVE-2015-3043) which is being actively exploited in the wild.
Meanwhile, Oracle is fixing 15 flaws in Java which are remotely exploitable without authentication and go all the way up to CVSS 10.0.
“Three other Oracle products are resolving CVEs with a 10.0 CVSS Base Score,” said Shavlik’s Goettl.
“So if you have Oracle Fusion Middleware, Oracle Sun Systems Products Suite or MySQL, they are all including vulnerabilities that are remotely exploitable without authentication and should be a priority to investigate for update this patch cycle.”