Patch Tuesday – get ready for the January 2014 Security Trifecta!


Microsoft and Adobe bias their Patch Tuesdays towards the beginning of the month, choosing the second Tuesday, which can be no later than the 14th.

Oracle pitches its fixes at the middle of the month, choosing the Tuesday closest to the 17th (don’t ask – we don’t know why), which can be no earlier than the 14th.

So this is one of these months when they all align and we get a Trifecta – Patch Threesday!

All three companies have issued announcements about their forthcoming announcements, and here they are, though they all use slightly different names:

Adobe’s fixes

If you’re wondering, “What about Adobe Flash” (assuming you still have it installed in your browser), you’ll have to keep on wondering until tomorrow.

Adobe’s only advisory so far in 2014 is the abovementioned “prenotification” for the PDF-related Reader and Acrobat products.

Acrobat and Reader versions X and XI will be getting fixes for critical vulnerabilties, defined by Adobe as:

[Vulnerabilities] which, if exploited would allow malicious native-code to execute, potentially without a user being aware.

That’s what you and I call a drive-by install.

Oracle’s fixes

Oracle’s announcement is the Brobdingnagian bulletin of the three, though that is hardly surprising, considering that the company is patching 40 products in 45 versions, and that it patches only quarterly, not monthly.

The Oracle announcement doesn’t say exactly what bugs are getting squashed, but it does mention a total of 144 vulnerabilities, of which 82 can be considered critical.

In Oracle’s own words:

These vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

That’s what you and I call a drive-by install.

The Oracle update that directly impacts the most users is without doubt the update to Java, which affects users and developers alike.

The new release of Java will supersede all currently-supported versions of Java: 5.0u55 and earlier, 6u65 and earlier, 7u45 and earlier.

Remember that Java is not JavaScript, and while most of us use and need JavaScript in our browsers, many of us can manage perfectly well without browser-based Java.

(Audio player not working? Download to listen offline, or listen on Soundcloud.)

You can have Java installed, allowing you to download and run regular applications written in Java, without activating Java in your browser and thereby exposing it to hostile applets.

Applets are supposed to be safer than applications, but they can be embedded in malicious web pages, and can therefore attack your browser surreptitiously, without triggering any download warnings or asking for permission.

To quote James Wyke of SophosLabs, in our recent Techknow podcast, Understanding Botnets:

Java is one of the most common infection vectors of the last year or so, because lots of people are running an outdated version of Java that lots and lots of exploits exist for.

So you should not only get Oracle’s updates on Tuesday, but also consider turning Java off in your browser if you haven’t already.

(If you aren’t sure, just give it a try. If a website you really need won’t work without Java, you can always turn the Java plugin back on.)

Microsoft’s fixes

Last, and this month, by all means the least, comes Microsoft.

Redmond opens its scorecard for 2014 with an impressively modest set of fixes: four bulletins; no Internet Explorer cumulative fix; and no updates denoted critical.

There are three Elevations of Privilege and one Denial of Service, and that’s that.

Two of the bulletins are listed as related to Windows: one of them applies only to Windows XP (which you are no longer using, right?); the other is for Windows 7 and Server 2008 R2.

(Audio player not working? Download to listen offline, or listen on Soundcloud.)

Windows 8, Server 2012 and the Server Core versions of Windows escaped without patches this month.

And there you have it: there’s something for just about everybody this month, especially those who still have Java installed.