There has been an unusual amount of drama leading up to Patch Tuesday April 2014. If you listen to the media you might believe we are on the precipice of an apocalypse, overreacting to nothing or anything in between.
The reality first and foremost is that it is just another important day to apply patches. Microsoft released four patches fixing 11 vulnerabilities in Windows, Internet Explorer, Microsoft Word and Microsoft Publisher.
Adobe also released a patch for Flash Player today addressing four vulnerabilities.
First I will cover off the two critical Microsoft patches. One fixes the recently discovered zero-day vulnerability targeting Microsoft Word 2010.
While MS14-017 fixes the flaw in Word 2003 through Word 2013 for Mac and Windows, the flaw is only known to have been exploitable in the Word for Windows 2010.
MS14-018 fixes six privately reported vulnerabilities in Internet Explorer versions 6 through 11. Although it is believed that criminals are not actively exploiting these flaws, any time there is an issue with your web browser you should address it promptly.
MS14-019 and MS14-020 fix important vulnerabilities in Windows and Publisher. The Windows bug is related to the loading of CMD.EXE by scripts and potentially poorly written applications. It is similar to DLL load order vulnerabilities we wrote about in 2010.
Adobe’s fixes are critical, but nothing of particular to note. While they include a cross-site scripting, buffer overflow, security bypass and use-after-free vulnerability this isn’t meant to be a test of your knowledge of vulnerabilities.
As always, Adobe fixes are available from http://get.adobe.com/flashplayer.
To learn more about what all these vulnerability terms and acronyms mean, why not listen to our Techknow podcast on vulnerabilities?
Download Sophos Techknow – Understanding Vulnerabilities [MP3]: