Patch Tuesday wrap-up, March 2014 - critical from Microsoft, important from Adobe

Filed Under: Adobe, Featured, Microsoft, Vulnerability

ie-170We already wrote about Microsoft's March 2014 patches, noting that, as usually happens, there was an All Points Bulletin for Internet Explorer coming up.

Microsoft doesn't call them APBs, of course - they are Cumulative Security Updates, with one bulletin covering all the numerous versions, bitnesses and CPU flavours of Redmond's IE browser.

What we weren't able to tell you in advance was whether the widely-publicised (but fortunately not widely-exploited) CVE-2014-0322 hole would be closed.

Good news - the fix made it into this month's update.

As we mentioned before, there wasn't actually a terrible urgency for the CVE-2014-0322 fix, because a number of workarounds and mitigations were available.

But a permanent fix is a permanent fix, so apply it as soon as you can, if you haven't let Windows Update apply it for you already.

flash-170Adobe Flash has an important fix to add to its two recent between-Patch-Tuesday critical updates.

Flash Player goes to 12.0.0.77 on Windows and Macintosh; Linux users are stuck on an older flavour of version 11 forever, and go to 11.2.202.346; other users who have stayed with version 11 out of choice or necessity get 11.7.700.272.

Google Chrome, Microsoft IE 10 and Microsoft IE 11 include and manage their own Flash player code - Adobe has confirmed that both Google and Microsoft have published the necessary patches.

The Microsoft flavour of Adobe's security fix isn't listed amongst Microsoft's own Patch Tuesday bulletins, but Microsoft's updating tools should take care of it for you.

If you prefer the manual approach, KB2938527 has the details and the downloads.

Of course, those are just the top-of-mind patches.

Don't forget the other four Microsoft bulletins.

We've written them up with our assessment of their likely risk, if you like to do a risk/benefit check before you go live with updates, as follows:

Microsoft ID Sophos ID Description and KB number
MS14-013 VET585 Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (2929961)
MS14-014 VET587 Vulnerability in Silverlight Could Allow Security Feature Bypass (2932677)
MS14-015 VET586 Vulnerabilities in Windows Kernel Mode Driver Could Allow Elevation of Privilege (2930275)
MS14-016 VET588 Vulnerability in Security Account Manager Remote (SAMR) Protocol Could Allow Security Feature Bypass (2934418)

If you are still in any doubt about the value of patches (or need to convince yourself of the trouble approaching when patches go missing from XP after next month), we invite you to read the latest paper by SophosLabs researcher Gabor Szappanos.

Szappi, as he is known, is a regular on Sophos Naked Security: he writes articles that are crisp, logical and end with clear advice.

In his latest report, Advanced Persistent Threats - the new normal?, Szappi takes a look at how APT-type attacks have gone mainstream.

He explains how 91% of a class of widely-reported threats that we still talk about as "Advanced" could have been rendered harmless by Microsoft patches issued in 2010 and 2012.

Don't delay. Patch today!

, , , , ,

You might like

2 Responses to Patch Tuesday wrap-up, March 2014 - critical from Microsoft, important from Adobe

  1. doug · 132 days ago

    "Linux users are stuck on an older flavour of version 11 forever, and go to 11.2.202.346; other users who have stayed with version 11 out of choice or necessity get 11.7.700.272."

    All true, which is why Linux users should use Chrome when using Flash. Implied, but not explicit, in your text.

    Chrome on Debian stable -- "You have version 12,0,0,77 installed"

  2. MikeP_UK · 132 days ago

    7 updates for one PC and 4 on the other (don't know why the difference as they both run the same software set!) - plus managed to 'hide' the unwanted End of Support warning executable for XP as we don't need it 'cause we already know it is ending next month.
    Why does the Adobe option 'Tell me when updates are available' not tell me when updates are available? Adobe need to fix that pronto. And no, I will not use automatic updates as I don't want any of the oft included foistware and want updates to run when the machine is not in use for more important tasks (such as earning a living!), so I always use the tell me options then I get to choose what and when.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog