Sophos Cloud Optix
Microsoft and Adobe bias their Patch Tuesdays towards the beginning of the month, choosing the second Tuesday, which can be no later than the 14th.
Oracle pitches its fixes at the middle of the month, choosing the Tuesday closest to the 17th (don’t ask – we don’t know why), which can be no earlier than the 14th.
So this is one of these months when they all align and we get a Trifecta – Patch Threesday!
All three companies have issued announcements about their forthcoming announcements, and here they are, though they all use slightly different names:
- Prenotification Security Advisory for Adobe Reader and Acrobat
- Oracle Critical Patch Update Pre-Release Announcement – Jan 2014
- Microsoft Security Bulletin Advance Notification for Jan 2014
Adobe’s fixes
If you’re wondering, “What about Adobe Flash” (assuming you still have it installed in your browser), you’ll have to keep on wondering until tomorrow.
Adobe’s only advisory so far in 2014 is the abovementioned “prenotification” for the PDF-related Reader and Acrobat products.
Acrobat and Reader versions X and XI will be getting fixes for critical vulnerabilties, defined by Adobe as:
[Vulnerabilities] which, if exploited would allow malicious native-code to execute, potentially without a user being aware.
That’s what you and I call a drive-by install.
Oracle’s fixes
Oracle’s announcement is the Brobdingnagian bulletin of the three, though that is hardly surprising, considering that the company is patching 40 products in 45 versions, and that it patches only quarterly, not monthly.
The Oracle announcement doesn’t say exactly what bugs are getting squashed, but it does mention a total of 144 vulnerabilities, of which 82 can be considered critical.
In Oracle’s own words:
These vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
That’s what you and I call a drive-by install.
The Oracle update that directly impacts the most users is without doubt the update to Java, which affects users and developers alike.
The new release of Java will supersede all currently-supported versions of Java: 5.0u55 and earlier, 6u65 and earlier, 7u45 and earlier.
Remember that Java is not JavaScript, and while most of us use and need JavaScript in our browsers, many of us can manage perfectly well without browser-based Java.
You can have Java installed, allowing you to download and run regular applications written in Java, without activating Java in your browser and thereby exposing it to hostile applets.
Applets are supposed to be safer than applications, but they can be embedded in malicious web pages, and can therefore attack your browser surreptitiously, without triggering any download warnings or asking for permission.
To quote James Wyke of SophosLabs, in our recent Techknow podcast, Understanding Botnets:
Java is one of the most common infection vectors of the last year or so, because lots of people are running an outdated version of Java that lots and lots of exploits exist for.
So you should not only get Oracle’s updates on Tuesday, but also consider turning Java off in your browser if you haven’t already.
(If you aren’t sure, just give it a try. If a website you really need won’t work without Java, you can always turn the Java plugin back on.)
Microsoft’s fixes
Last, and this month, by all means the least, comes Microsoft.
Redmond opens its scorecard for 2014 with an impressively modest set of fixes: four bulletins; no Internet Explorer cumulative fix; and no updates denoted critical.
There are three Elevations of Privilege and one Denial of Service, and that’s that.
Two of the bulletins are listed as related to Windows: one of them applies only to Windows XP (which you are no longer using, right?); the other is for Windows 7 and Server 2008 R2.
Windows 8, Server 2012 and the Server Core versions of Windows escaped without patches this month.
And there you have it: there’s something for just about everybody this month, especially those who still have Java installed.
Are there any fixes for Adobe flash in the future so we have the drop down box in youtube.
No idea…we’ll have to wait for Adobe 🙂
(Or ditch Flash and let YouTube render using HTML5.)
How close are we getting to being able to ditch Flash in the same way as we have ditched Java?
Try it and see…presumably how you decided whether you could ditch Java. Or use the “click to play” feature in your favourite browser, if it has one. I set Flash in Firefox into “Ask to Activate” mode, so I can render pages without it but turn it on for selected sites if needed.
Tried and got lots of “click to play” (bbc.co.uk seems to be the major site on my visit list that wants flash).
So look as if I will still be regularly visiting adobe.com for downloads
The first time in two months that server core 2012 does not need patching.
And today, prior to the patch updates (we don’t see them until early Wednesday morning), there has been an update from Microsoft for Certificates, particularly those originating from a source in Turkey! And that is not even mentioned in the MS Notification!