Patch Tuesday - get ready for the January 2014 Security Trifecta!

Filed Under: Adobe, Featured, Microsoft, Oracle, Security threats, Vulnerability

Microsoft and Adobe bias their Patch Tuesdays towards the beginning of the month, choosing the second Tuesday, which can be no later than the 14th.

Oracle pitches its fixes at the middle of the month, choosing the Tuesday closest to the 17th (don't ask - we don't know why), which can be no earlier than the 14th.

So this is one of these months when they all align and we get a Trifecta - Patch Threesday!

All three companies have issued announcements about their forthcoming announcements, and here they are, though they all use slightly different names:

Adobe's fixes

If you're wondering, "What about Adobe Flash" (assuming you still have it installed in your browser), you'll have to keep on wondering until tomorrow.

Adobe's only advisory so far in 2014 is the abovementioned "prenotification" for the PDF-related Reader and Acrobat products.

Acrobat and Reader versions X and XI will be getting fixes for critical vulnerabilties, defined by Adobe as:

[Vulnerabilities] which, if exploited would allow malicious native-code to execute, potentially without a user being aware.

That's what you and I call a drive-by install.

Oracle's fixes

Oracle's announcement is the Brobdingnagian bulletin of the three, though that is hardly surprising, considering that the company is patching 40 products in 45 versions, and that it patches only quarterly, not monthly.

The Oracle announcement doesn't say exactly what bugs are getting squashed, but it does mention a total of 144 vulnerabilities, of which 82 can be considered critical.

In Oracle's own words:

These vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

That's what you and I call a drive-by install.

The Oracle update that directly impacts the most users is without doubt the update to Java, which affects users and developers alike.

The new release of Java will supersede all currently-supported versions of Java: 5.0u55 and earlier, 6u65 and earlier, 7u45 and earlier.

Remember that Java is not JavaScript, and while most of us use and need JavaScript in our browsers, many of us can manage perfectly well without browser-based Java.

(Audio player not working? Download to listen offline, or listen on Soundcloud.)

You can have Java installed, allowing you to download and run regular applications written in Java, without activating Java in your browser and thereby exposing it to hostile applets.

Applets are supposed to be safer than applications, but they can be embedded in malicious web pages, and can therefore attack your browser surreptitiously, without triggering any download warnings or asking for permission.

To quote James Wyke of SophosLabs, in our recent Techknow podcast, Understanding Botnets:

Java is one of the most common infection vectors of the last year or so, because lots of people are running an outdated version of Java that lots and lots of exploits exist for.

So you should not only get Oracle's updates on Tuesday, but also consider turning Java off in your browser if you haven't already.

(If you aren't sure, just give it a try. If a website you really need won't work without Java, you can always turn the Java plugin back on.)

Microsoft's fixes

Last, and this month, by all means the least, comes Microsoft.

Redmond opens its scorecard for 2014 with an impressively modest set of fixes: four bulletins; no Internet Explorer cumulative fix; and no updates denoted critical.

There are three Elevations of Privilege and one Denial of Service, and that's that.

Two of the bulletins are listed as related to Windows: one of them applies only to Windows XP (which you are no longer using, right?); the other is for Windows 7 and Server 2008 R2.

(Audio player not working? Download to listen offline, or listen on Soundcloud.)

Windows 8, Server 2012 and the Server Core versions of Windows escaped without patches this month.

And there you have it: there's something for just about everybody this month, especially those who still have Java installed.

, , , , , , , , , , ,

You might like

7 Responses to Patch Tuesday - get ready for the January 2014 Security Trifecta!

  1. Anonymous · 593 days ago

    Are there any fixes for Adobe flash in the future so we have the drop down box in youtube.

    • Paul Ducklin · 593 days ago

      No idea...we'll have to wait for Adobe :-)

      (Or ditch Flash and let YouTube render using HTML5.)

  2. flash-man! · 593 days ago

    How close are we getting to being able to ditch Flash in the same way as we have ditched Java?

    • Paul Ducklin · 593 days ago

      Try it and see...presumably how you decided whether you could ditch Java. Or use the "click to play" feature in your favourite browser, if it has one. I set Flash in Firefox into "Ask to Activate" mode, so I can render pages without it but turn it on for selected sites if needed.

      • flash-man! · 589 days ago

        Tried and got lots of "click to play" ( seems to be the major site on my visit list that wants flash).

        So look as if I will still be regularly visiting for downloads

  3. Anonymous · 593 days ago

    The first time in two months that server core 2012 does not need patching.

  4. MikeP_UK · 592 days ago

    And today, prior to the patch updates (we don't see them until early Wednesday morning), there has been an update from Microsoft for Certificates, particularly those originating from a source in Turkey! And that is not even mentioned in the MS Notification!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog